Classification

Category :

Malware

Type :

-

Aliases :

Fuzzynut, Win32.Fuzzynut7684

Summary

The 'Fuzzynut' is a trojan written in Visual Basic. In order to run the trojan needs a Visual Basic run-time library VBRUN300.DLL that most of Windows users have in their \Windows\System\ directory. On every execution the trojan does the following:

1. Creates random number of folders with random names in C:\Windows directory. Names are generated by a special subroutine and have ASCII letters from 'a' to 'z' only.

2. Copies itself to root Windows directory as FUZZUNUT.EXE file.

3. Modifies WIN.INI 'run=' setting to 'run=fuzzynut.exe'. This allows the trojan to be run on each Windows bootup.

4. Changes registration entry for WinZip in WIN.INI as follows:

[WinZip]

 win32_version=6.3

 Name=MyPantsFellOff

 SN=F12D235B

Surprisingly, this seems to be a valid WinZip registration key.

5. Changes volume label on C: drive to 'LICKMYBALLS'.

The trojan was fake-posted to alt.comp.virus newsgroup by someone (trojan author most likely) using the name of Nick Fitzgerald. Nick Fitzgerald is the editor of the Virus Bulletin magazine and has nothing to do with the trojan.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

N/A