VeryFun (also known as Trojan.Win32.VeryFun) is a trojan for Microsoft Windows. On every launch, the payload is different, apparently randomly generated. It has never entered the wild because it was made for danooct1's Viewer-Made Malware contest, similarly to other malware like MEMZ, ResonateII and Zika, to which VeryFun has many similarities according to danooct1. The trojan horse directly infects the memory of applications that are running and starts writing entries to the registry.
The payloads described in this section are the random payloads that were shown in danooct1's video about this trojan.
First Demonstrated Payload
VeryFun first displays a message saying 'A very funny thing is happening!' titled 'FUN FUN FUN FUN FUN!!!!', then pops up a Data Execution Prevention message saying that cmd.exe has been closed. It then draws rainbow lines on the screen similar in appearance to Paint's airbrush tool. During this, many applications crash due to VeryFun's memory corruption. Finally, the system calls for a shutdown in one minute due to the RPC service being crashed and the trojan keeps creating 'A very funny thing is happening!' messages until it crashes the computer with a Blue Screen of Death (error code 0xC000021A). When the computer restarts, a message that appears to be an error message pops up and a login screen shows up, asking for a password even if the default user doesn't have a password. All of the text shown after the restart is in a raster font and most of it is garbled due to missing font entries in the registry.
Second Demonstrated Payload
In this payload, a Blue Screen of Death occurs instantly (error code 0x0000007F). During the BSOD, an error message from VMWare pops up saying "A fault has occurred causing the virtual CPU to enter the shutdown state." due to the fact that the trojan might have caused a triple fault, making the CPU shut down instantly.
Third Demonstrated Payload
This payload is similar to the first one, but when a window is dragged, it leaves stacked afterimages of itself on the screen due to a failure to draw windows and the system background properly. Eventually, a BSOD happens (error code: 0x000000F4). After a restart, the boot process hangs on the Windows XP loading screen, but then the machine boots properly after a force restart and the trojan seems not to have caused permanent damage.
Fourth Demonstrated Payload
This payload is similar to the first one, but it causes more errors. Due to the memory corruption, Service Host (svchost.exe) and Userinit Logon Application try to access memory that they cannot read, causing both to segfault. Later, explorer.exe goes down the same way, services.exe crashes due to an unknown exception and lsass.exe exits with error code -1073741819 (0xC0000005), causing the system to schedule a shutdown in a minute. Then, a message shows up saying 'The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with product type is not permitted', which might be caused by altering the ProductType registry key under
HKEY_LOCAL_MACHINE\System\CurrentControl\Control\ProductionOptions. In the meantime, the trojan horse creates a message saying 'WOW, REGISTRY SEEMS FUCKED UP!!', entitled 'kek'. VeryFun keeps making rainbow lines and multiple other segfaults occur, including winlogon.exe segfaulting, and finally, Windows crashes to a Blue Screen of Death (error code 0x000000F4). During boot, a message shows up saying that Windows cannot start because the
\WINDOWS\system32\config\SYSTEM file, which stores crucial registry entries like the entire contents of HKEY_LOCAL_MACHINE, is missing or corrupted.
Fifth Demonstrated Payload
This payload is similar to the fourth one, including the 'WOW, REGISTRY SEEMS FUCKED UP!!' message box and the numerous segfaults, but a shutdown is scheduled due to services.exe, not lsass.exe, crashing. Also, the taskbar goes missing, but explorer.exe is kept alive. When the shutdown countdown hits 0, the system does not restart, but it freezes. VeryFun stops drawing lines and it's possible to click on icons, but not open programs. Rebooting from here causes the same startup error the fourth payload does.