Content

SomeFun

Type
Trojan
SubType
Win32
Discovery Date
02/28/2008
Length
varies
Minimum DAT
5241 (02/28/2008)
Updated DAT
5241 (02/28/2008)
Minimum Engine
5.1.00
Description Added
02/28/2008
Description Modified
03/10/2008 3:06 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

On execution, this program displays the following message box

        

Meanwhile, it creates a text file on the desktop with the name "OWNED BY EVIL KID!!!.TXT", with the following text in it. On every execution of this trojan, the same text is appended to this file.

                      

The above messages are false claims. In reality, the trojan does not steal any passwords.

It also creates a batch file named "Norton AntiVirus.bat" and adds it to the startup folder.
This is used to load the file at sytem startup. Every time the system is started, this batch file is executed and the following window is displayed.

                      

It then launches the web browser and opens a porn website - http://[removed]thumbs.com


Files Added:

  • %UserProfile%\Desktop\OWNED BY EVIL KID!!!.TXT
  • %UserProfile%\Start Menu\Programs\Startup\Norton AntiVirus.bat
  • %Windir%\system32\hot.exe

Symptoms

  • Presence of the above mentioned files.
  • Opening of porn website without user interaction.

Method of Infection

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a trojan that displayes fake messages to scare the user that the system has been hacked, and also opens a porn website.

Aliases

  • Troj/Agent-GQO (Sophos)
  • Trojan.MSIL.Agent.j (Kaspersky)
  • W32/Steljoke.Z!tr (Fortinet)
  • W32/Steljoke.Z!tr (Fortinet)

Characteristics

Characteristics -

On execution, this program displays the following message box

        

Meanwhile, it creates a text file on the desktop with the name "OWNED BY EVIL KID!!!.TXT", with the following text in it. On every execution of this trojan, the same text is appended to this file.

                      

The above messages are false claims. In reality, the trojan does not steal any passwords.

It also creates a batch file named "Norton AntiVirus.bat" and adds it to the startup folder.
This is used to load the file at sytem startup. Every time the system is started, this batch file is executed and the following window is displayed.

                      

It then launches the web browser and opens a porn website - http://[removed]thumbs.com


Files Added:

  • %UserProfile%\Desktop\OWNED BY EVIL KID!!!.TXT
  • %UserProfile%\Start Menu\Programs\Startup\Norton AntiVirus.bat
  • %Windir%\system32\hot.exe

Symptoms

Symptoms -

  • Presence of the above mentioned files.
  • Opening of porn website without user interaction.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A