|
Summary of VBS/TonFun.A |
| Length: |
1647 bytes |
| Discovered: |
17 Mar 2003 |
| Definition files: |
20 Mar 2003 |
| Risk Level: |
Low |
| Distribution: | Low |
| Payload: |
Depending on certain factors, this trojan tries to inject an automatic "format c:" command into autoexec.bat, which can lead to data loss. |
|
|
|
| Brief Description |
The VBS/TonFun.A is a trojan written in VisualBasic script, targetting Y!Tunnel/Y!Tunnel Pro users.
Y!Tunnel is a free add-on for Yahoo! Messenger aiming to protect Messenger users from abusive and malicious chatroom activity.
VBS/TonFun.A can distribute itself through file-sharing programs, such as Kazaa, Kazaa Lite and Grokster, by placing a copy of itself in the shared folders used by those programs under the name of "Ytunnel Pro Crack" with the double extension of .exe.vbs |
| Technical Description |
The first thing this trojan does, is to check wether any of the following directories exists:
"C:\Program Files\Kazaa\My Shared Folder"
"C:\Program Files\KaZaA Lite\My Shared Folder"
"C:\Program Files\Grokster\My Grokster"
If any of these directories exist, the trojan copies itself there, under the name of "Ytunnel Pro Crack.exe.vbs". The then trojan tries to determine if the Y!Tunnel/Y!Tunnel Pro software is present on the users computer. Y!Tunnel is a free add-on for Yahoo! Messenger aiming to protect Messenger users from abusive and malicious chatroom activity. If that software is installed under any of the following locations:
"C:\Program Files\Y!Tunnel"
"C:\Program Files\Y!TunnelPro SP1"
"C:\Program Files\Y!TunnelPro SP2"
the trojan tries sends an "echo request" ICMP message of a certain size using the ping.exe command for an unlimited amount of time, thus potentially trying to perform a DOS attack against the website of the makers of Y!Tunnel software.
However, due to a coding error, this part will fail to function.
The trojan also adds depending on the conditions mentioned above, an automatic "format c:" instruction into Autoexec.bat if it exists on the c: drive. |
Analysis/Description: Sindri Bjarnason, Virus-analyst FRISK Software Viruslab |
|
