The Fun.Exe virus is of the w32.Assarm family of computer viruses. According to Symantec[1] it registers itself as a Windows system process then periodically sends mail with spreading attachments as a response to any unopened emails in Outlook Express. This virus first appeared in early 2008 and is now recognized by most anti virus programs.

Infection

edit

The virus will install multiple copies of itself throughout the system. It makes itself hard to remove by installing many different copies with different names in different locations. The running copy is a system process and will restart if it is closed manually. It adds itself to auto run information so that it executes multiple copies on startup. The copies monitor each other and will restore each other if one is deleted. This makes deleting from Windows nearly impossible.

Known file names used by the virus are Fun.exe, DC.exe, Other.exe, SVIQ.exe, win.exe, WinSit.exe, Windev.exe, and thisisnotmalwarelol.exe. This malware is usually embedded on PowerPoint documents. This allowed to malware to bypass most antiviruses, including Sophos and Kaspersky.

The file icon is made to look like the icon for a folder, inviting the user to open the folder when actually they are running the program thus starting the initial infection. However the graphic icon for the folder is poorly ripped from Windows service icons and can be distinguished by subtle visual differences, predominantly white below the black outline of the folder which on the real folder icon is dithered to transparent space. This visual difference is especially noticeable in safe mode when graphic operating capacity is in 256 color mode instead of 24 bit color mode.

The files show a creation date of 6-23-2008 and show an original name of Olalatheworld.exe and an internal name of Olalatheworld. The files are 124,928 bytes in size. These characteristics can help distinguish the infected files, which is important because some of the names used by the file are names of legitimate Windows files and therefore care must be taken not to accidentally remove a vital Windows file.

References

edit
  1. ^ "W32.Assarm@mm Technical Details". Archived from the original on January 16, 2009.