We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Funner.A
Detected by Microsoft Defender Antivirus
Aliases: Win32/Funner.A!Worm (CA) W32/Funner.A (Norman) W32/Funner-A (Sophos) WORM_FUNNER.A (Trend Micro)
Summary
Win32/Funner is an instant messaging worm that spreads through MSN Messenger, MSN Communicator, and QQ. The worm overwrites the HOSTS file to redirect certain outbound Internet traffic from the infected computer to an attacker’s server, which could enable phishing and man-in-the-middle attacks. These attacks may include theft of credentials such as user names, passwords, and credit card data, as well as injection of malicious code into Internet traffic that is bound for the user's computer.
Worm:Win32/Funner.A may enable an attacker to inject malicious code into Internet traffic bound for the user's computer. Recovering from this situation may require measures beyond removing the worm itself from the computer. For this reason, attempting manual removal of Worm:Win32/Funner.A is not recommended. To detect and remove this worm as well as other malicious software, run a full-system scan with an up-to-date antivirus product such as the Microsoft Malicious Software Removal Tool (http://www.microsoft.com/security/malwareremove/default.mspx) or the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, visit http://www.microsoft.com/athome/security/downloads/default.mspx
The Win32/Funner worm overwrites the Windows HOSTS file on the infected computer. To address this, When a Microsoft detection and removal tool automatically removes Win32/Funner, the tool creates a new default HOSTS file and saves the modified HOSTS file as HOSTS.bak. On Windows Vista/XP/2000/NT, the HOSTS file is located in <system folder>\drivers\etc\. On Windows ME/98/95, the HOSTS file is located in the Windows folder.
The Win32/Funner worm overwrites the Windows HOSTS file on the infected computer. To address this, When a Microsoft detection and removal tool automatically removes Win32/Funner, the tool creates a new default HOSTS file and saves the modified HOSTS file as HOSTS.bak. On Windows Vista/XP/2000/NT, the HOSTS file is located in <system folder>\drivers\etc\. On Windows ME/98/95, the HOSTS file is located in the Windows folder.
Follow us
