W32/Fujacks.a

Upon execution, the worm drops a copy of itself in %SYSTEM% folder and executes from there.

Creates the following files in root directory:

• setup.inf
• setup.exe
• GameSetup.exe

It copies itself in startup folders to make sure it runs at windows startup.

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"FuckJacks" = "%SYSTEM%\FuckJacks.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svohost" = "%SYSTEM%\FuckJacks.exe"

Terminates processes containing strings:

• QQKav
• QQAV
• VirusScan
• Symantec AntiVirus
• iDuba
• esteem procs
• Wrapped gift Killer
• Winsock Expert
• msctls_statusbar32
• pjf(ustc)
• IceSword

Terminates the following processes:

• Mcshield.exe
• VsTskMgr.exe
• naPrdMgr.exe
• UpdaterUI.exe
• TBMon.exe
• scan32.exe
• Ravmond.exe
• CCenter.exe
• RavTask.exe
• Rav.exe
• Ravmon.exe
• RavmonD.exe
• RavStub.exe
• KVXP.kxp
• KvMonXP.kxp
• KVCenter.kxp
• KVSrvXP.exe
• KRegEx.exe
• UIHost.exe
• TrojDie.kxp
• FrogAgent.exe
• Logo1_.exe
• Logo_1.exe
• Rundl123.exe

Terminates the following Services:

• KVWSC
• KVSrvXP
• KVWSC
• KVSrvXP
• kavsvc
• AVP
• AVP
• kavsvc
• McAfeeFramework
• McShield
• McTaskManager
• McAfeeFramework
• McShield
• McTaskManager
• navapsvc
• wscsvc
• KPfwSvc
• SNDSrvc
• ccProxy
• ccEvtMgr
• ccSetMgr
• SPBBCSvc
• Symantec Core LC
• NPFMntor
• MskService
• FireSvc

Deletes the following Registry entries:

• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
• SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse

It tries to copy itself to network shares using following passwords:

• admin$
• 1234
• password
• 6969
• harley
• 123456
• golf
• pussy
• mustang
• 1111
• shadow
• 1313
• fish
• 5150
• 7777
• qwerty
• baseball
• 2112
• letmein
• 12345678
• 12345
• ccc
• admin
• 5201314
• qq520
• 123
• 1234567
• 123456789
• 654321
• 54321
• 111
• 000000
• abc
• 11111111
• 88888888
• pass
• passwd
• database
• abcd
• abc123
• sybase
• 123qwe
• server
• computer
• 520
• super
• 123asd
• ihavenopass
• godblessyou
• enable
• 2002
• 2003
• 2600
• alpha
• 110
• 111111
• 121212
• 123123
• 1234qwer
• 123abc
• 007
• aaa
• patrick
• pat
• administrator
• root
• sex
• god
• foobar
• secret
• test
• test123
• temp
• temp123
• win
• asdf
• pwd
• qwer
• yxcv
• zxcv
• home
• xxx
• owner
• login
• Login
• pw123
• love
• mypc
• mypc123
• admin123
• mypass
• mypass123
• 901100

It might also attempt to download other malware components on infected machine.

1. Presence of one or more of the following file(s):
• %Windir%\System32\FuckJacks.exe
2. Presence of one or more of the following file(s) residing in root directory of system drive or network shared folders:
• setup.exe
• setup.inf
• GameSetup.exe
3. Executable files grow by 30,465 bytes.

W32/Fujacks.a is a parasitic file infector that can spread over network drives and shared folders. It also has a downloader component that installs additional malware on the infected machine.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.