FunLove and Swen in the same email ?

Discussion in 'Anti-Virus' started by David H. Lipman, Feb 5, 2004.

  1. Has anyone heard of the FunLove and the Swen joined in the same email ?

    The following is a McAfee log excerpt.

    2/4/2004 9:20:59 PM Cleaned DLIPMAN-1\lipman D:\temp\Temporary Internet
    Files\Content.IE5\STK38FWN\ezngbg.pif W32/FunLove.gen
    2/4/2004 9:20:59 PM Deleted DLIPMAN-1\lipman D:\temp\Temporary Internet
    Files\Content.IE5\STK38FWN\ezngbg.pif W32/Swen@MM

    Dave
     
    David H. Lipman, Feb 5, 2004
    #1
    1. Advertisements

  2. David H. Lipman

    Pepperoni Guest

    Yes.
    Funlove is a file infector.
    "This virus is a parasitic Win32 PE file virus that infects EXE, SCR and OCX
    files by appending itself to the last PE section of the file. The virus also
    overwrites the first 8 bytes of code at the start of the program with a jump
    to the virus's code"
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10419
     
    Pepperoni, Feb 5, 2004
    #2
    1. Advertisements

  3. Yes, I read that write-up at NAI - http://vil.nai.com/vil/content/v_10419.htm

    However, I have not heard of the two being received together, in one executable. Nor is
    there a write up on it.

    Did a PC that was infected with Swen and Funlove then generate an email message creating a
    PIF file attachment that had FunLove appended to the Swen ?

    I received it in Outlook Express so I sent an OE EML file to McAfee and they indicated:
    exploit-mime.gen.exe
    But I guess they did not extract the PIF out of the EML to get the Swen and FunLove.

    I also posted at AVERT WebImmune and got the same answer: exploit-mime.gen.exe , no Swen
    and no FunLove

    Dave



    | Yes.
    | Funlove is a file infector.
    | "This virus is a parasitic Win32 PE file virus that infects EXE, SCR and OCX
    | files by appending itself to the last PE section of the file. The virus also
    | overwrites the first 8 bytes of code at the start of the program with a jump
    | to the virus's code"
    | http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=10419
    |
    |
    | | > Has anyone heard of the FunLove and the Swen joined in the same email ?
    | >
    | > The following is a McAfee log excerpt.
    | >
    | > 2/4/2004 9:20:59 PM Cleaned DLIPMAN-1\lipman D:\temp\Temporary Internet
    | > Files\Content.IE5\STK38FWN\ezngbg.pif W32/FunLove.gen
    | > 2/4/2004 9:20:59 PM Deleted DLIPMAN-1\lipman D:\temp\Temporary Internet
    | > Files\Content.IE5\STK38FWN\ezngbg.pif W32/Swen@MM
    | >
    | > Dave
    | >
    | >
    |
    |
     
    David H. Lipman, Feb 5, 2004
    #3
  4. David H. Lipman

    Big Will Guest

    It could make sense, though. If someone is infected with both funlove (a
    virus) and swen (a worm), then I suppose it's possible for funlove to infect
    whatever source code Swen is before it gets sent out. It all depends on how
    the files that get sent out are constructed by the active memory resident
    worm. If the file is already there, and just needs to be coppied, then
    funlove could easily infect this worm. So, then you would have swen, and
    funlove, in the same file.

    --
    William

    If it don't work, hit it.
    If it still doesn't work, kick it.
    If it works after hitting it and kicking it, then it doesn't matter if
    hitting it or kicking it helped, what's important is that it works.
     
    Big Will, Feb 5, 2004
    #4
  5. Carol:

    Well stated !

    McAfee AVERT did indeed reply back that they found FunLove but NOT Swen in the PIF.

    Thanx...
    Dave



    | On Thu, 05 Feb 2004 03:15:37 GMT, "David H. Lipman"
    |
    | >Yes, I read that write-up at NAI -
    | >http://vil.nai.com/vil/content/v_10419.htm
    | >
    | >However, I have not heard of the two being received together,
    | >in one executable. Nor is there a write up on it.
    | >
    | >Did a PC that was infected with Swen and Funlove then generate
    | >an email message creating a PIF file attachment that had FunLove
    | >appended to the Swen ?
    |
    | Yes. This happened quite a bit with Klez and CIH, and I've seen an
    | AOL-specific trojan installer in the same condition. A worm or trojan
    | executable is no different from any other, and hence can be infected
    | with a file-infecting virus.
    |
    | Many AV will react as McAfee did initially - clean the virus, then ID
    | the worm. Or as when you sent the entire e-mail, find the exploit and
    | stop there. If you'd sent the file rather than the e-mail, they'd
    | have ID'ed the FunLove. Give the file to a program that doesn't look
    | for viruses, like The Cleaner or Trojan Remover, and it would find the
    | worm but not the file infector at all.
    |
    | Carol
    |
    |
     
    David H. Lipman, Feb 5, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.