Content
W32/Fujacks.ab
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 04/07/2007
- Length
- varies
- Minimum DAT
- 5004 (04/09/2007)
- Updated DAT
- 5327 (06/27/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 04/07/2007
- Description Modified
- 04/07/2007 5:01 PM (PT)
Tab Navigation
Characteristics
W32/Fujacks.ab is worm that infects .exe files and spreads over network shares and removable devices. It also infects web pages by inserting malicious hyperlinks of Windows ANI exploit.
Upon execution, the worm creates a copy of itself as \%system%\Death.exe and drops the following files which are detected as Tool-PassList and Generic Downloader trojans.
- \%system%\Supervise.exe
- \%root%\pass.dic
Malicious hyperlinks are appended to web pages, which eventually point to these site(s) containing the exploit:
- http://1.520sb.cn/[HIDDEN]
More information of the Windows ANI vulnerability at:
It creates the following registry key to start itself at boot up time:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Death.exe\"\%system%\Death.exe"
Terminates processes containing strings:
- Symantec AntiVirus
- KV2006
- RavMon.exe
- ZoneAlarm
- VirusScan
- Symantec AntiVirus
- Wrapped gift Killer
- IceSword
Terminates the following processes:
- EGHOST.EXE
- MAILMON.EXE
- KAVPFW.EXE
- IPARMOR.EXE
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPM.EXE
- AVP.EXE
- NAVAPW32.EXE
- NAVW32.EXE
- nod32kui.exe
- nod32kru.exe
- PFW.exe
- Kfw.exe
- KAVPFW.exe
- vsmon.exe
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- Logo1_.exe
- Logo_1.exe
- Rundl132.exe
- runiep.exe
It may to copy itself to network shares using passwords enlisted in pass.dic which it drops.
It might also attempt to download other malware such as password stealing trojans on the compromised machine from
- http://risb520.3322.org/gow/[REMOVED]
Symptoms
- Presence of files and registry entries as mentioned
- Increase in size of executable files
- Network activity as mentioned
- Web pages inserted with suspicious IFRAME blocks
Method of Infection
W32/Fujacks.ab is a parasitic file infector that can spread over network drives and shared
folders. It may also infect web pages to point to ANI exploit and download newer variants. It also has a downloader component that installs additional malware on the infected machine.
W32/Fujacks.ab is also known to to be downloaded by exploits hosted by the web page(s) at the following location(s) which are detected as Exploit-ObscuredHtml and JS/Exploit-BO.gen
- http://1.520sb.cn/mm
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
W32/Fujacks.ab is a worm that infects PE executable files and spreads over network shares and removable devices. It also infects web pages by inserting malicious hyperlinks pointing to Windows ANI exploit. It might also attempt to download additional malware on the infected machine.
Aliases
- Trojan-Downloader.Win32.Agent.bhd (Kaspersky)
Characteristics
Characteristics -
W32/Fujacks.ab is worm that infects .exe files and spreads over network shares and removable devices. It also infects web pages by inserting malicious hyperlinks of Windows ANI exploit.
Upon execution, the worm creates a copy of itself as \%system%\Death.exe and drops the following files which are detected as Tool-PassList and Generic Downloader trojans.
- \%system%\Supervise.exe
- \%root%\pass.dic
Malicious hyperlinks are appended to web pages, which eventually point to these site(s) containing the exploit:
- http://1.520sb.cn/[HIDDEN]
More information of the Windows ANI vulnerability at:
It creates the following registry key to start itself at boot up time:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Death.exe\"\%system%\Death.exe"
Terminates processes containing strings:
- Symantec AntiVirus
- KV2006
- RavMon.exe
- ZoneAlarm
- VirusScan
- Symantec AntiVirus
- Wrapped gift Killer
- IceSword
Terminates the following processes:
- EGHOST.EXE
- MAILMON.EXE
- KAVPFW.EXE
- IPARMOR.EXE
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPM.EXE
- AVP.EXE
- NAVAPW32.EXE
- NAVW32.EXE
- nod32kui.exe
- nod32kru.exe
- PFW.exe
- Kfw.exe
- KAVPFW.exe
- vsmon.exe
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- Logo1_.exe
- Logo_1.exe
- Rundl132.exe
- runiep.exe
It may to copy itself to network shares using passwords enlisted in pass.dic which it drops.
It might also attempt to download other malware such as password stealing trojans on the compromised machine from
- http://risb520.3322.org/gow/[REMOVED]
Symptoms
Symptoms -
- Presence of files and registry entries as mentioned
- Increase in size of executable files
- Network activity as mentioned
- Web pages inserted with suspicious IFRAME blocks
Method of Infection
Method of Infection -
W32/Fujacks.ab is a parasitic file infector that can spread over network drives and shared
folders. It may also infect web pages to point to ANI exploit and download newer variants. It also has a downloader component that installs additional malware on the infected machine.
W32/Fujacks.ab is also known to to be downloaded by exploits hosted by the web page(s) at the following location(s) which are detected as Exploit-ObscuredHtml and JS/Exploit-BO.gen
- http://1.520sb.cn/mm
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
