W32/Fujacks.a

This page shows details and results of our analysis on the malware W32/Fujacks.a

Overview

W32/Fujacks.a is worm that infects all .exe files and spreads over network shares and removable devices.
It might also attempt to download additional malware on the infected machine.


Minimum Engine

5600.1067

File Length

30,465

Description Added

2006-11-16

Description Modified

2006-11-16

Malware Proliferation

Characteristics

Upon execution, the worm drops a copy of itself in %SYSTEM% folder and executes from there.


Creates the following files in root directory:

  • setup.inf
  • setup.exe
  • GameSetup.exe

It copies itself in startup folders to make sure it runs at windows startup.

Adds the following values to the registry to auto start itself when Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"FuckJacks" = "%SYSTEM%\FuckJacks.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"svohost" = "%SYSTEM%\FuckJacks.exe"


Terminates processes containing strings:

  • QQKav
  • QQAV
  • VirusScan
  • Symantec AntiVirus
  • iDuba
  • esteem procs
  • Wrapped gift Killer
  • Winsock Expert
  • msctls_statusbar32
  • pjf(ustc)
  • IceSword


Terminates the following processes:

  • Mcshield.exe
  • VsTskMgr.exe
  • naPrdMgr.exe
  • UpdaterUI.exe
  • TBMon.exe
  • scan32.exe
  • Ravmond.exe
  • CCenter.exe
  • RavTask.exe
  • Rav.exe
  • Ravmon.exe
  • RavmonD.exe
  • RavStub.exe
  • KVXP.kxp
  • KvMonXP.kxp
  • KVCenter.kxp
  • KVSrvXP.exe
  • KRegEx.exe
  • UIHost.exe
  • TrojDie.kxp
  • FrogAgent.exe
  • Logo1_.exe
  • Logo_1.exe
  • Rundl123.exe


Terminates the following Services:

  • KVWSC
  • KVSrvXP
  • KVWSC
  • KVSrvXP
  • kavsvc
  • AVP
  • AVP
  • kavsvc
  • McAfeeFramework
  • McShield
  • McTaskManager
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • wscsvc
  • KPfwSvc
  • SNDSrvc
  • ccProxy
  • ccEvtMgr
  • ccSetMgr
  • SPBBCSvc
  • Symantec Core LC
  • NPFMntor
  • MskService
  • FireSvc


Deletes the following Registry entries:

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse


It tries to copy itself to network shares using following passwords:

  • admin$
  • 1234
  • password
  • 6969
  • harley
  • 123456
  • golf
  • pussy
  • mustang
  • 1111
  • shadow
  • 1313
  • fish
  • 5150
  • 7777
  • qwerty
  • baseball
  • 2112
  • letmein
  • 12345678
  • 12345
  • ccc
  • admin
  • 5201314
  • qq520
  • 123
  • 1234567
  • 123456789
  • 654321
  • 54321
  • 111
  • 000000
  • abc
  • 11111111
  • 88888888
  • pass
  • passwd
  • database
  • abcd
  • abc123
  • sybase
  • 123qwe
  • server
  • computer
  • 520
  • super
  • 123asd
  • ihavenopass
  • godblessyou
  • enable
  • 2002
  • 2003
  • 2600
  • alpha
  • 110
  • 111111
  • 121212
  • 123123
  • 1234qwer
  • 123abc
  • 007
  • aaa
  • patrick
  • pat
  • administrator
  • root
  • sex
  • god
  • foobar
  • secret
  • test
  • test123
  • temp
  • temp123
  • win
  • asdf
  • pwd
  • qwer
  • yxcv
  • zxcv
  • home
  • xxx
  • owner
  • login
  • Login
  • pw123
  • love
  • mypc
  • mypc123
  • admin123
  • mypass
  • mypass123
  • 901100

It might also attempt to download other malware components on infected machine.


 

Symptoms

  1. Presence of one or more of the following file(s):
    • %Windir%\System32\FuckJacks.exe
  2. Presence of one or more of the following file(s) residing in root directory of system drive or network shared folders:
    • setup.exe
    • setup.inf
    • GameSetup.exe
  3. Executable files grow by 30,465 bytes.

 

Method of Infection

W32/Fujacks.a is a parasitic file infector that can spread over network drives and shared folders. It also has a downloader component that installs additional malware on the infected machine.

 

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants