"Funneh" worm (Funner variant)
This virus is characterized by sending out links similar to the following:
- Cingular's cell page is broken. http://www.cingular.com/phoneactivation/loadingringtones.usa.gs , want free ringtones?. Supposed to be for "New Phone Activations". I seriously just tried it, got 10. Hurry, they'll fix it soon.
The actual link points to webpages like the following:
- http://www.phoneactivations.usa.gs/
This appears to be a variant of a previous worm. At this time I believe the worm only infects systems running Windows 2000, XP or 2003. It should be removed by the current version of AIMFix.
Files and symptoms:
- Creates the service "PrintStorage" with the display name "Print Spooler Storage"
- Creates service executable "C:\WINDOWS\system32\mctsc.exe" for the PrintStorage service
- Also known to use executable "C:\WINDOWS\system32\winsmv.exe" for PrintStorage service
- Creates and runs executable file "C:\WINDOWS\system32\svmbi.exe"
To manually remove the worm you can remove any of the above services/executables if found. As always, you should follow any removal with a thorough Spyware cleaning to remove any malware installed by the worm
If you encounter a variant of this virus unable to be removed by AIMFix, contact me with the requested details and I will be glad to update AIMFix for you.
LEGAL STUFF: I am not affiliated with the makers of this virus in any way, nor am I affiliated with any anti-virus company. I merely provide this as a service for those who have been infected. I take no responsibility for any damage done by the virus or by those incorrectly following these removal steps, or those using my removal tools.