Content

W32/Fujacks.a

Type
Virus
SubType
Worm
Discovery Date
11/16/2006
Length
30,465
Minimum DAT
4897 (11/16/2006)
Updated DAT
5286 (05/01/2008)
Minimum Engine
5.1.00
Description Added
11/16/2006
Description Modified
11/16/2006 5:31 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the worm drops a copy of itself in %SYSTEM% folder and executes from there.


Creates the following files in root directory:

  • setup.inf
  • setup.exe
  • GameSetup.exe

It copies itself in startup folders to make sure it runs at windows startup.

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"FuckJacks" = "%SYSTEM%\FuckJacks.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svohost" = "%SYSTEM%\FuckJacks.exe"


Terminates processes containing strings:

  • QQKav
  • QQAV
  • VirusScan
  • Symantec AntiVirus
  • iDuba
  • esteem procs
  • Wrapped gift Killer
  • Winsock Expert
  • msctls_statusbar32
  • pjf(ustc)
  • IceSword


Terminates the following processes:

  • Mcshield.exe
  • VsTskMgr.exe
  • naPrdMgr.exe
  • UpdaterUI.exe
  • TBMon.exe
  • scan32.exe
  • Ravmond.exe
  • CCenter.exe
  • RavTask.exe
  • Rav.exe
  • Ravmon.exe
  • RavmonD.exe
  • RavStub.exe
  • KVXP.kxp
  • KvMonXP.kxp
  • KVCenter.kxp
  • KVSrvXP.exe
  • KRegEx.exe
  • UIHost.exe
  • TrojDie.kxp
  • FrogAgent.exe
  • Logo1_.exe
  • Logo_1.exe
  • Rundl123.exe


Terminates the following Services:

  • KVWSC
  • KVSrvXP
  • KVWSC
  • KVSrvXP
  • kavsvc
  • AVP
  • AVP
  • kavsvc
  • McAfeeFramework
  • McShield
  • McTaskManager
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • wscsvc
  • KPfwSvc
  • SNDSrvc
  • ccProxy
  • ccEvtMgr
  • ccSetMgr
  • SPBBCSvc
  • Symantec Core LC
  • NPFMntor
  • MskService
  • FireSvc


Deletes the following Registry entries:

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse


It tries to copy itself to network shares using following passwords:

  • admin$
  • 1234
  • password
  • 6969
  • harley
  • 123456
  • golf
  • pussy
  • mustang
  • 1111
  • shadow
  • 1313
  • fish
  • 5150
  • 7777
  • qwerty
  • baseball
  • 2112
  • letmein
  • 12345678
  • 12345
  • ccc
  • admin
  • 5201314
  • qq520
  • 123
  • 1234567
  • 123456789
  • 654321
  • 54321
  • 111
  • 000000
  • abc
  • 11111111
  • 88888888
  • pass
  • passwd
  • database
  • abcd
  • abc123
  • sybase
  • 123qwe
  • server
  • computer
  • 520
  • super
  • 123asd
  • ihavenopass
  • godblessyou
  • enable
  • 2002
  • 2003
  • 2600
  • alpha
  • 110
  • 111111
  • 121212
  • 123123
  • 1234qwer
  • 123abc
  • 007
  • aaa
  • patrick
  • pat
  • administrator
  • root
  • sex
  • god
  • foobar
  • secret
  • test
  • test123
  • temp
  • temp123
  • win
  • asdf
  • pwd
  • qwer
  • yxcv
  • zxcv
  • home
  • xxx
  • owner
  • login
  • Login
  • pw123
  • love
  • mypc
  • mypc123
  • admin123
  • mypass
  • mypass123
  • 901100

It might also attempt to download other malware components on infected machine.


 

Symptoms

  1. Presence of one or more of the following file(s):
    • %Windir%\System32\FuckJacks.exe
  2. Presence of one or more of the following file(s) residing in root directory of system drive or network shared folders:
    • setup.exe
    • setup.inf
    • GameSetup.exe
  3. Executable files grow by 30,465 bytes.

 

Method of Infection

W32/Fujacks.a is a parasitic file infector that can spread over network drives and shared folders. It also has a downloader component that installs additional malware on the infected machine.

 

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Fujacks.a is worm that infects all .exe files and spreads over network shares and removable devices.
It might also attempt to download additional malware on the infected machine.

Aliases

  • PE_QQROB.APZ (Trend Micro)
  • Trojan-PSW.Win32.QQRob.ec (Kaspersky)
  • W32.Fujacks.A (Symantec)

Characteristics

Characteristics -

Upon execution, the worm drops a copy of itself in %SYSTEM% folder and executes from there.


Creates the following files in root directory:

  • setup.inf
  • setup.exe
  • GameSetup.exe

It copies itself in startup folders to make sure it runs at windows startup.

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"FuckJacks" = "%SYSTEM%\FuckJacks.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svohost" = "%SYSTEM%\FuckJacks.exe"


Terminates processes containing strings:

  • QQKav
  • QQAV
  • VirusScan
  • Symantec AntiVirus
  • iDuba
  • esteem procs
  • Wrapped gift Killer
  • Winsock Expert
  • msctls_statusbar32
  • pjf(ustc)
  • IceSword


Terminates the following processes:

  • Mcshield.exe
  • VsTskMgr.exe
  • naPrdMgr.exe
  • UpdaterUI.exe
  • TBMon.exe
  • scan32.exe
  • Ravmond.exe
  • CCenter.exe
  • RavTask.exe
  • Rav.exe
  • Ravmon.exe
  • RavmonD.exe
  • RavStub.exe
  • KVXP.kxp
  • KvMonXP.kxp
  • KVCenter.kxp
  • KVSrvXP.exe
  • KRegEx.exe
  • UIHost.exe
  • TrojDie.kxp
  • FrogAgent.exe
  • Logo1_.exe
  • Logo_1.exe
  • Rundl123.exe


Terminates the following Services:

  • KVWSC
  • KVSrvXP
  • KVWSC
  • KVSrvXP
  • kavsvc
  • AVP
  • AVP
  • kavsvc
  • McAfeeFramework
  • McShield
  • McTaskManager
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • wscsvc
  • KPfwSvc
  • SNDSrvc
  • ccProxy
  • ccEvtMgr
  • ccSetMgr
  • SPBBCSvc
  • Symantec Core LC
  • NPFMntor
  • MskService
  • FireSvc


Deletes the following Registry entries:

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse


It tries to copy itself to network shares using following passwords:

  • admin$
  • 1234
  • password
  • 6969
  • harley
  • 123456
  • golf
  • pussy
  • mustang
  • 1111
  • shadow
  • 1313
  • fish
  • 5150
  • 7777
  • qwerty
  • baseball
  • 2112
  • letmein
  • 12345678
  • 12345
  • ccc
  • admin
  • 5201314
  • qq520
  • 123
  • 1234567
  • 123456789
  • 654321
  • 54321
  • 111
  • 000000
  • abc
  • 11111111
  • 88888888
  • pass
  • passwd
  • database
  • abcd
  • abc123
  • sybase
  • 123qwe
  • server
  • computer
  • 520
  • super
  • 123asd
  • ihavenopass
  • godblessyou
  • enable
  • 2002
  • 2003
  • 2600
  • alpha
  • 110
  • 111111
  • 121212
  • 123123
  • 1234qwer
  • 123abc
  • 007
  • aaa
  • patrick
  • pat
  • administrator
  • root
  • sex
  • god
  • foobar
  • secret
  • test
  • test123
  • temp
  • temp123
  • win
  • asdf
  • pwd
  • qwer
  • yxcv
  • zxcv
  • home
  • xxx
  • owner
  • login
  • Login
  • pw123
  • love
  • mypc
  • mypc123
  • admin123
  • mypass
  • mypass123
  • 901100

It might also attempt to download other malware components on infected machine.


 

Symptoms

Symptoms -

  1. Presence of one or more of the following file(s):
    • %Windir%\System32\FuckJacks.exe
  2. Presence of one or more of the following file(s) residing in root directory of system drive or network shared folders:
    • setup.exe
    • setup.inf
    • GameSetup.exe
  3. Executable files grow by 30,465 bytes.

 

Method of Infection

Method of Infection -

W32/Fujacks.a is a parasitic file infector that can spread over network drives and shared folders. It also has a downloader component that installs additional malware on the infected machine.

 

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A