W32.FUNNER worm

[Mick]

MS AntiSpyware came up with an alert saying a website
(139mm.com) was trying to add itself to the IE trusted
sites list. I found out that the W32.FUNNER worm adds
hundreds of entries to the hosts file to point to an
external IP address. 139mm.com is 1 of them.

Should I be worried? I'm using up to date Norton Internet
Security but it hasn't detected any viruses. Any help
would be appreciated.

 

[AMDGUY [MCP]]

http://securityresponse.symantec.com/avcenter/venc/data/w32.funner.html

Follow these instructions to make sure you dont have the virus.
After you do that make sure to run live update to install the latest
virus defs. Then reboot in safe mode and do a full system scan to make
sure you do not have any other viruses lurking on your computer.

 

[Andre Da Costa]

Disable System Restore, restart in safe mode and run a scan using your
Antivirus program.

Andre

 

[A McGuire]

You should protect your hosts file:

How to do so is in the following, and then some other good ideas that work well:

Pretty slick way of protecting our users - with nothing more than putting a text file on their computer to override DNS. You can pass along if you see fit.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.mvps.org/winhelp2002/hosts.zip (47 kb)
http://www.mvps.org/winhelp2002/hosts.txt (207 kb)

"What it does ...
The Hosts file contains the mappings of IP addresses to host names. This file is loaded into memory at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine. Another feature of the HOSTS file is it's ability to block other applications from connecting to the Internet, as long as the entry exists."

 

[Steve Wechsler [MVP]]

Andre,

Unless the restore points are infected, there is no need to disable
System Restore at this point in time. The best time for disabling SR is
AFTER the malware has been cleaned and then creating a known malware
free restore point. Even then, using Diskcleanup, one can remove all but
the latest restore points.

Disabling SR as the first step leaves the User with NO chance to roll
the system back in case of any mistaken steps.

Even an infected system is better than losing the OS and all data, is it
not ?


Steve Wechsler (akaMowGreen)
MVP Windows Server

AumHa VSOP Security Expert@CastleCops

 

[Kaspars]

Hi, Steve!
Agree 100%, maybe it makes sense to include
simple and _correct_ advice about SR in FAQ?
Kaspars

-----Original Message-----

Andre,

Unless the restore points are infected, there is no need
to disable System Restore at this point in time. The best
time for disabling SR is AFTER the malware has been
cleaned and then creating a known malware free restore
point. Even then, using Diskcleanup, one can remove all
but the latest restore points.

Disabling SR as the first step leaves the User with NO
chance to roll the system back in case of any mistaken
steps.
Even an infected system is better than losing the OS and
all data, is it not ?

Steve Wechsler (akaMowGreen)
MVP Windows Server

AumHa VSOP Security Expert@CastleCops

 

[Mick]

I'm not going to worry about this 1. I ran a full system
virus scan in safe mode and it didnt find anything. My
hosts file is clean. I don't know why it came up with
that alert it might be a bug.