McAfee > Theat Center > Virus Detail Page

Overview

Aliases

• Net-Worm.Win32.Piloyd.n (Kaspersky)

• Net-Worm.Win32.Piloyd.n (VBA32)

• Trj/Downloader.MDW (Panda)

• Trojan-Downloader.Win32.Jadtre (Ikarus)

• TrojanDownloader:Win32/Jadtre.A (Microsoft)

• W32.Fujacks.B (Symantec)

• W32/Dloader.N!worm.im (Fortinet)

• Win32/AutoRun.AntiAV.P (Nod32)

• Win32/Piloyd.worm.43520 (Ahnlab)

• Worm.Piloyd.F (VirusBuster)

• Worm/Piloyd.N.7 (Avira)

• WORM_PILOYD.A (Trend Micro)

Characteristics

-- Update November 25th, 2009--

A new variant of W32/Fujacks.worm was identified with some new characteristics. This variant is installed as a hidden service on the infected system. The following activities were observed:

Disables Safe boot and Network boot modes

Create the following files:

• C:\WINDOWS\system32\dllcache\lsasvc.dll
• C:\WINDOWS\system32\[random_name].dll
• %TEMP%\Loopt.bat

where %TEMP% point to the temporary folder of the logged user. 

This variant also drop a rootkit component to a file named %WINDOWS%\Temp\nthid.sys and execute it as a service. The file is deleted after run. We detect this rootkit as W32/Fujacks!rootkit.

The [random_name].dll is the hidden service which check for the existence of lsasvc.dll and the rootkit component and drop them if they are not running.

Create the following registry key to restart on reboot:

• HKLM\SYSTEM\CurrentControlSet\Services\[random_name]

where [random_name] is the same name as the file created above.

Create the following named pipes:

• \\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
• \\.\NtHid

Those pipes are used to communicate with the lsasvc.dll and the rootkit component.

Modifies the content of %SYSTEM32%\drivers\etc\hosts to the following:

127.0.0.1  localhost

-- Update January 17th, 2007--

The W32/Fujacks.worm was first discovered on December 28, 2006.  Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.

This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chinadaily.com.cn/citylife/2007-01/17/content_785644.htm
--

Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.

Creates the following files in all drives:

• autorun.inf
• setup.exe

Creates Destop_.ini in all folders.

Adds the following values to the registry to auto start itself when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"

Terminates processes containing strings:

• VirusScan
• NOD32
• Symantec AntiVirus
• Duba
• esteem procs
• System Safety Monitor
• Wrapped gift Killer
• Winsock Expert
• msctls_statusbar32
• pjf(ustc)
• IceSword

Terminates the following processes:

• Mcshield.exe
• VsTskMgr.exe
• naPrdMgr.exe
• UpdaterUI.exe
• TBMon.exe
• scan32.exe
• Ravmond.exe
• CCenter.exe
• RavTask.exe
• Rav.exe
• Ravmon.exe
• RavmonD.exe
• RavStub.exe
• KVXP.kxp
• KvMonXP.kxp
• KVCenter.kxp
• KVSrvXP.exe
• KRegEx.exe
• UIHost.exe
• TrojDie.kxp
• FrogAgent.exe
• Logo1_.exe
• Logo_1.exe
• Rundl132.exe

Terminates the following Services:

• KVWSC
• KVSrvXP
• kavsvc
• AVP
• McAfeeFramework
• McShield
• McTaskManager
• McAfeeFramework
• navapsvc
• wscsvc
• KPfwSvc
• SNDSrvc
• ccProxy
• ccEvtMgr
• ccSetMgr
• SPBBCSvc
• Symantec Core LC
• Schedule
• sharedaccess
• RsCCenter
• RsRavMon
• NPFMntor
• MskService
• FireSvc

Deletes the following Registry entries:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE

Disables the show hidden file options in folder options using the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:

• admin$
• 1234
• password
• 6969
• harley
• 123456
• golf
• pussy
• mustang
• 1111
• shadow
• 1313
• fish
• 5150
• 7777
• qwerty
• baseball
• 2112
• letmein
• 12345678
• 12345
• ccc
• admin
• 5201314
• qq520
• 123
• 1234567
• 123456789
• 654321
• 54321
• 111
• 000000
• abc
• 11111111
• 88888888
• pass
• passwd
• database
• abcd
• abc123
• sybase
• 123qwe
• server
• computer
• 520
• super
• 123asd
• ihavenopass
• godblessyou
• enable
• 2002
• 2003
• 2600
• alpha
• 110
• 111111
• 121212
• 123123
• 1234qwer
• 123abc
• 007
• aaa
• patrick
• pat
• administrator
• root
• sex
• god
• fuckyou
• fuck
• test
• test123
• temp
• temp123
• win
• asdf
• pwd
• qwer
• yxcv
• zxcv
• home
• xxx
• owner
• login
• Login
• pw123
• love
• mypc
• mypc123
• admin123
• mypass
• mypass123
• 901100
• Administrator
• Guest
• admin
• Root

Deletes files with .gho extensions from local partitions except c drive.

Infects all the htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm.

Symptoms

Method of Infection

W32/Fujacks.worm is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

The W32/Fujacks.worm attempts to infect files on the victim's system and tries to download additional trojans from a remote website.

Aliases

• Net-Worm.Win32.Piloyd.n (Kaspersky)

• Net-Worm.Win32.Piloyd.n (VBA32)

• Trj/Downloader.MDW (Panda)

• Trojan-Downloader.Win32.Jadtre (Ikarus)

• TrojanDownloader:Win32/Jadtre.A (Microsoft)

• W32.Fujacks.B (Symantec)

• W32/Dloader.N!worm.im (Fortinet)

• Win32/AutoRun.AntiAV.P (Nod32)

• Win32/Piloyd.worm.43520 (Ahnlab)

• Worm.Piloyd.F (VirusBuster)

• Worm/Piloyd.N.7 (Avira)

• WORM_PILOYD.A (Trend Micro)

Characteristics

Characteristics -

-- Update November 25th, 2009--

A new variant of W32/Fujacks.worm was identified with some new characteristics. This variant is installed as a hidden service on the infected system. The following activities were observed:

Disables Safe boot and Network boot modes

Create the following files:

• C:\WINDOWS\system32\dllcache\lsasvc.dll
• C:\WINDOWS\system32\[random_name].dll
• %TEMP%\Loopt.bat

where %TEMP% point to the temporary folder of the logged user. 

This variant also drop a rootkit component to a file named %WINDOWS%\Temp\nthid.sys and execute it as a service. The file is deleted after run. We detect this rootkit as W32/Fujacks!rootkit.

The [random_name].dll is the hidden service which check for the existence of lsasvc.dll and the rootkit component and drop them if they are not running.

Create the following registry key to restart on reboot:

• HKLM\SYSTEM\CurrentControlSet\Services\[random_name]

where [random_name] is the same name as the file created above.

Create the following named pipes:

• \\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
• \\.\NtHid

Those pipes are used to communicate with the lsasvc.dll and the rootkit component.

Modifies the content of %SYSTEM32%\drivers\etc\hosts to the following:

127.0.0.1  localhost

-- Update January 17th, 2007--

The W32/Fujacks.worm was first discovered on December 28, 2006.  Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.

This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chinadaily.com.cn/citylife/2007-01/17/content_785644.htm
--

Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.

Creates the following files in all drives:

• autorun.inf
• setup.exe

Creates Destop_.ini in all folders.

Adds the following values to the registry to auto start itself when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"

Terminates processes containing strings:

• VirusScan
• NOD32
• Symantec AntiVirus
• Duba
• esteem procs
• System Safety Monitor
• Wrapped gift Killer
• Winsock Expert
• msctls_statusbar32
• pjf(ustc)
• IceSword

Terminates the following processes:

• Mcshield.exe
• VsTskMgr.exe
• naPrdMgr.exe
• UpdaterUI.exe
• TBMon.exe
• scan32.exe
• Ravmond.exe
• CCenter.exe
• RavTask.exe
• Rav.exe
• Ravmon.exe
• RavmonD.exe
• RavStub.exe
• KVXP.kxp
• KvMonXP.kxp
• KVCenter.kxp
• KVSrvXP.exe
• KRegEx.exe
• UIHost.exe
• TrojDie.kxp
• FrogAgent.exe
• Logo1_.exe
• Logo_1.exe
• Rundl132.exe

Terminates the following Services:

• KVWSC
• KVSrvXP
• kavsvc
• AVP
• McAfeeFramework
• McShield
• McTaskManager
• McAfeeFramework
• navapsvc
• wscsvc
• KPfwSvc
• SNDSrvc
• ccProxy
• ccEvtMgr
• ccSetMgr
• SPBBCSvc
• Symantec Core LC
• Schedule
• sharedaccess
• RsCCenter
• RsRavMon
• NPFMntor
• MskService
• FireSvc

Deletes the following Registry entries:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE

Disables the show hidden file options in folder options using the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:

• admin$
• 1234
• password
• 6969
• harley
• 123456
• golf
• pussy
• mustang
• 1111
• shadow
• 1313
• fish
• 5150
• 7777
• qwerty
• baseball
• 2112
• letmein
• 12345678
• 12345
• ccc
• admin
• 5201314
• qq520
• 123
• 1234567
• 123456789
• 654321
• 54321
• 111
• 000000
• abc
• 11111111
• 88888888
• pass
• passwd
• database
• abcd
• abc123
• sybase
• 123qwe
• server
• computer
• 520
• super
• 123asd
• ihavenopass
• godblessyou
• enable
• 2002
• 2003
• 2600
• alpha
• 110
• 111111
• 121212
• 123123
• 1234qwer
• 123abc
• 007
• aaa
• patrick
• pat
• administrator
• root
• sex
• god
• fuckyou
• fuck
• test
• test123
• temp
• temp123
• win
• asdf
• pwd
• qwer
• yxcv
• zxcv
• home
• xxx
• owner
• login
• Login
• pw123
• love
• mypc
• mypc123
• admin123
• mypass
• mypass123
• 901100
• Administrator
• Guest
• admin
• Root

Deletes files with .gho extensions from local partitions except c drive.

Infects all the htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

W32/Fujacks.worm is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A