Virus :W32/Fujacks.worm

**Anilrgowda** · 22-Jan-2007, 09:46 AM

Risk Assessment - Home Users: Low-Profiled - Corporate Users: Low-Profiled Date Discovered: 12/28/2006 Date Added: 12/28/2006 Origin: N/A Length: varies Type: Virus SubType: Worm DAT Required: 4928 Virus Characteristics

-- Update January 17th, 2007--
The W32/Fujacks.worm was first discovered on December 28, 2006. Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below.
This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chinadaily.com.cn/citylife/2007-01/17/content_785644.htm
--
Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.
Creates the following files in all drives:

autorun.inf
setup.exe

Creates Destop_.ini in all folders.
Adds the following values to the registry to auto start itself when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"
Terminates processes containing strings:

VirusScan
NOD32
Symantec AntiVirus
Duba
esteem procs
System Safety Monitor
Wrapped gift Killer
Winsock Expert
msctls_statusbar32
pjf(ustc)
IceSword

Terminates the following processes:

Mcshield.exe
VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe

Terminates the following Services:

KVWSC
KVSrvXP
kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
McAfeeFramework
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
Schedule
sharedaccess
RsCCenter
RsRavMon
NPFMntor
MskService
FireSvc

Deletes the following Registry entries:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavT ask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMo nXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVP ersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAf eeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netw ork Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShSt atEXE
Disables the show hidden file options in folder options using the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"
It tries to copy itself to network shares using following passwords:

admin$
1234
password
6969
harley
123456
golf
pussy
mustang
1111
shadow
1313
fish
5150
7777
qwerty
baseball
2112
letmein
12345678
12345
ccc
admin
5201314
qq520
123
1234567
123456789
654321
54321
111
000000
abc
11111111
88888888
pass
passwd
database
abcd
abc123
sybase
123qwe
server
computer
520
super
123asd
ihavenopass
godblessyou
enable
2002
2003
2600
alpha
110
111111
121212
123123
1234qwer
123abc
007
aaa
patrick
pat
administrator
root
sex
god
fuckyou
fuck
test
test123
temp
temp123
win
asdf
pwd
qwer
yxcv
zxcv
home
xxx
owner
login
Login
pw123
love
mypc
mypc123
admin123
mypass
mypass123
901100
Administrator
Guest
admin
Root

Deletes files with .gho extensions from local partitions except c drive.
Infects all the htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm.

Method of Infection

W32/Fujacks.worm is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations

Aliases

PE_FUJACKS.E-O (Trend Micro), W32.Fujacks.B (Symantec), Worm.Win32.Delf.bd (Kaspersky)

22-Jan-2007, 09:46 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Virus :W32/Fujacks.worm Risk Assessment - Home Users: Low-Profiled - Corporate Users: Low-Profiled Date Discovered: 12/28/2006 Date Added: 12/28/2006 Origin: N/A Length: varies Type: Virus SubType: Worm DAT Required: 4928 Virus Characteristics -- Update January 17th, 2007-- The W32/Fujacks.worm was first discovered on December 28, 2006. Detection was added for a this new variant on January 17, 2007, which includes coverage for the threat specified in the article listed below. This threat is considered to be a Low-Profiled risk due to media attention at: http://www.chinadaily.com.cn/citylife/2007-01/17/content_785644.htm -- Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there. Creates the following files in all drives: autorun.inf setup.exe Creates Destop_.ini in all folders. Adds the following values to the registry to auto start itself when Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run "svcshare" = "%SYSTEM%\drivers\spoclsv.exe" Terminates processes containing strings: VirusScan NOD32 Symantec AntiVirus Duba esteem procs System Safety Monitor Wrapped gift Killer Winsock Expert msctls_statusbar32 pjf(ustc) IceSword Terminates the following processes: Mcshield.exe VsTskMgr.exe naPrdMgr.exe UpdaterUI.exe TBMon.exe scan32.exe Ravmond.exe CCenter.exe RavTask.exe Rav.exe Ravmon.exe RavmonD.exe RavStub.exe KVXP.kxp KvMonXP.kxp KVCenter.kxp KVSrvXP.exe KRegEx.exe UIHost.exe TrojDie.kxp FrogAgent.exe Logo1_.exe Logo_1.exe Rundl132.exe Terminates the following Services: KVWSC KVSrvXP kavsvc AVP McAfeeFramework McShield McTaskManager McAfeeFramework navapsvc wscsvc KPfwSvc SNDSrvc ccProxy ccEvtMgr ccSetMgr SPBBCSvc Symantec Core LC Schedule sharedaccess RsCCenter RsRavMon NPFMntor MskService FireSvc Deletes the following Registry entries: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavT ask SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMo nXP SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVP ersonal50 SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAf eeUpdaterUI SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netw ork Associates Error Reporting Service SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShSt atEXE Disables the show hidden file options in folder options using the following registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "CheckedValue" = "00000000" It tries to copy itself to network shares using following passwords: admin$ 1234 password 6969 harley 123456 golf pussy mustang 1111 shadow 1313 fish 5150 7777 qwerty baseball 2112 letmein 12345678 12345 ccc admin 5201314 qq520 123 1234567 123456789 654321 54321 111 000000 abc 11111111 88888888 pass passwd database abcd abc123 sybase 123qwe server computer 520 super 123asd ihavenopass godblessyou enable 2002 2003 2600 alpha 110 111111 121212 123123 1234qwer 123abc 007 aaa patrick pat administrator root sex god fuckyou fuck test test123 temp temp123 win asdf pwd qwer yxcv zxcv home xxx owner login Login pw123 love mypc mypc123 admin123 mypass mypass123 901100 Administrator Guest admin Root Deletes files with .gho extensions from local partitions except c drive. Infects all the htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm. Method of Infection W32/Fujacks.worm is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser. Removal Instructions A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files. Additional Windows ME/XP removal considerations Aliases PE_FUJACKS.E-O (Trend Micro), W32.Fujacks.B (Symantec), Worm.Win32.Delf.bd (Kaspersky)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)