Summary of VBS/TonFun.A
||17 Mar 2003
||20 Mar 2003
||Depending on certain factors, this trojan tries to inject an automatic "format c:" command into autoexec.bat, which can lead to data loss.
|The VBS/TonFun.A is a trojan written in VisualBasic script, targetting Y!Tunnel/Y!Tunnel Pro users.|
Y!Tunnel is a free add-on for Yahoo! Messenger aiming to protect Messenger users from abusive and malicious chatroom activity.
VBS/TonFun.A can distribute itself through file-sharing programs, such as Kazaa, Kazaa Lite and Grokster, by placing a copy of itself in the shared folders used by those programs under the name of "Ytunnel Pro Crack" with the double extension of .exe.vbs
|The first thing this trojan does, is to check wether any of the following directories exists:|
"C:\Program Files\Kazaa\My Shared Folder"
"C:\Program Files\KaZaA Lite\My Shared Folder"
"C:\Program Files\Grokster\My Grokster"
If any of these directories exist, the trojan copies itself there, under the name of "Ytunnel Pro Crack.exe.vbs". The then trojan tries to determine if the Y!Tunnel/Y!Tunnel Pro software is present on the users computer. Y!Tunnel is a free add-on for Yahoo! Messenger aiming to protect Messenger users from abusive and malicious chatroom activity. If that software is installed under any of the following locations:
"C:\Program Files\Y!TunnelPro SP1"
"C:\Program Files\Y!TunnelPro SP2"
the trojan tries sends an "echo request" ICMP message of a certain size using the ping.exe command for an unlimited amount of time, thus potentially trying to perform a DOS attack against the website of the makers of Y!Tunnel software.
However, due to a coding error, this part will fail to function.
The trojan also adds depending on the conditions mentioned above, an automatic "format c:" instruction into Autoexec.bat if it exists on the c: drive.
Analysis/Description: Sindri Bjarnason, Virus-analyst FRISK Software Viruslab