Content
W32/Fujacks.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 12/28/2006
- Length
- varies
- Minimum DAT
- 4928 (12/28/2006)
- Updated DAT
- 5347 (07/25/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 12/28/2006
- Description Modified
- 01/21/2007 3:52 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update January 17th, 2007--
The W32/Fujacks.worm was first discovered on December 28, 2006. Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chinadaily.com.cn/citylife/2007-01/17/content_785644.htm
--
Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.
Creates the following files in all drives:
- autorun.inf
- setup.exe
Creates Destop_.ini in all folders.
Adds the following values to the registry to auto start itself when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"
Terminates processes containing strings:
- VirusScan
- NOD32
- Symantec AntiVirus
- Duba
- esteem procs
- System Safety Monitor
- Wrapped gift Killer
- Winsock Expert
- msctls_statusbar32
- pjf(ustc)
- IceSword
Terminates the following processes:
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- Logo1_.exe
- Logo_1.exe
- Rundl132.exe
Terminates the following Services:
- KVWSC
- KVSrvXP
- kavsvc
- AVP
- McAfeeFramework
- McShield
- McTaskManager
- McAfeeFramework
- navapsvc
- wscsvc
- KPfwSvc
- SNDSrvc
- ccProxy
- ccEvtMgr
- ccSetMgr
- SPBBCSvc
- Symantec Core LC
- Schedule
- sharedaccess
- RsCCenter
- RsRavMon
- NPFMntor
- MskService
- FireSvc
Deletes the following Registry entries:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
Disables the show hidden file options in folder options using the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"
It tries to copy itself to network shares using following passwords:
- admin$
- 1234
- password
- 6969
- harley
- 123456
- golf
- pussy
- mustang
- 1111
- shadow
- 1313
- fish
- 5150
- 7777
- qwerty
- baseball
- 2112
- letmein
- 12345678
- 12345
- ccc
- admin
- 5201314
- qq520
- 123
- 1234567
- 123456789
- 654321
- 54321
- 111
- 000000
- abc
- 11111111
- 88888888
- pass
- passwd
- database
- abcd
- abc123
- sybase
- 123qwe
- server
- computer
- 520
- super
- 123asd
- ihavenopass
- godblessyou
- enable
- 2002
- 2003
- 2600
- alpha
- 110
- 111111
- 121212
- 123123
- 1234qwer
- 123abc
- 007
- aaa
- patrick
- pat
- administrator
- root
- sex
- god
- fuckyou
- fuck
- test
- test123
- temp
- temp123
- win
- asdf
- pwd
- qwer
- yxcv
- zxcv
- home
- xxx
- owner
- login
- Login
- pw123
- love
- mypc
- mypc123
- admin123
- mypass
- mypass123
- 901100
- Administrator
- Guest
- admin
- Root
Deletes files with .gho extensions from local partitions except c drive.
Infects all the htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm.
Symptoms
Method of Infection
W32/Fujacks.worm is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
The W32/Fujacks.worm attempts to infect files on the victim's system and tries to download additional trojans from a remote website.
Aliases
- PE_FUJACKS.E-O (Trend Micro)
- W32.Fujacks.B (Symantec)
- Worm.Win32.Delf.bd (Kaspersky)
Characteristics
Characteristics -
-- Update January 17th, 2007--
The W32/Fujacks.worm was first discovered on December 28, 2006. Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chinadaily.com.cn/citylife/2007-01/17/content_785644.htm
--
Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.
Creates the following files in all drives:
- autorun.inf
- setup.exe
Creates Destop_.ini in all folders.
Adds the following values to the registry to auto start itself when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"
Terminates processes containing strings:
- VirusScan
- NOD32
- Symantec AntiVirus
- Duba
- esteem procs
- System Safety Monitor
- Wrapped gift Killer
- Winsock Expert
- msctls_statusbar32
- pjf(ustc)
- IceSword
Terminates the following processes:
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- Logo1_.exe
- Logo_1.exe
- Rundl132.exe
Terminates the following Services:
- KVWSC
- KVSrvXP
- kavsvc
- AVP
- McAfeeFramework
- McShield
- McTaskManager
- McAfeeFramework
- navapsvc
- wscsvc
- KPfwSvc
- SNDSrvc
- ccProxy
- ccEvtMgr
- ccSetMgr
- SPBBCSvc
- Symantec Core LC
- Schedule
- sharedaccess
- RsCCenter
- RsRavMon
- NPFMntor
- MskService
- FireSvc
Deletes the following Registry entries:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
Disables the show hidden file options in folder options using the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"
It tries to copy itself to network shares using following passwords:
- admin$
- 1234
- password
- 6969
- harley
- 123456
- golf
- pussy
- mustang
- 1111
- shadow
- 1313
- fish
- 5150
- 7777
- qwerty
- baseball
- 2112
- letmein
- 12345678
- 12345
- ccc
- admin
- 5201314
- qq520
- 123
- 1234567
- 123456789
- 654321
- 54321
- 111
- 000000
- abc
- 11111111
- 88888888
- pass
- passwd
- database
- abcd
- abc123
- sybase
- 123qwe
- server
- computer
- 520
- super
- 123asd
- ihavenopass
- godblessyou
- enable
- 2002
- 2003
- 2600
- alpha
- 110
- 111111
- 121212
- 123123
- 1234qwer
- 123abc
- 007
- aaa
- patrick
- pat
- administrator
- root
- sex
- god
- fuckyou
- fuck
- test
- test123
- temp
- temp123
- win
- asdf
- pwd
- qwer
- yxcv
- zxcv
- home
- xxx
- owner
- login
- Login
- pw123
- love
- mypc
- mypc123
- admin123
- mypass
- mypass123
- 901100
- Administrator
- Guest
- admin
- Root
Deletes files with .gho extensions from local partitions except c drive.
Infects all the htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
W32/Fujacks.worm is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
