W32/Fujacks.s

This page shows details and results of our analysis on the malware W32/Fujacks.s

Overview

The W32/Fujacks.s attempts to infect files on the victim's system and tries to download additional trojans from a remote website.


Minimum DAT

4940 (2007-01-16)

Updated DAT

4951 (2007-01-29)

Minimum Engine

5400.1158

File Length

244 kb

Description Added

2007-01-16

Description Modified

2008-01-08

Malware Proliferation

Characteristics

--- Update January 8, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

The W32/Fujacks.s attempts to infect files on the victim's system and tries to download additional trojans from a remote website.

Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.

Creates the following files in all drives:
setup.exe
autorun.inf

Creates Desktop__.ini in all folders.

Adds the following values to the registry to auto start itself when Windows starts:
Software\Microsoft\Windows\CurrentVersion\Run
"nvscv32" = "%SYSTEM%\drivers\ncscv32.exe"

Terminates processes containing strings:

  • VirusScan
  • Symantec AntiVirus
  • System Safety Monitor
  • System Repair Engineer
  • Wrapped gift Killer

Terminates the following processes:

  • CCenter.exe
  • FrogAgent.exe
  • KRegEx.exe
  • KVCenter.kxp
  • KvMonXP.kxp
  • KVSrvXP.exe
  • KVXP.kxp
  • Logo1_.exe
  • Logo_1.exe
  • Mcshield.exe
  • msconfig.exe
  • naPrdMgr.exe
  • nvscv32.exe
  • Rav.exe
  • Ravmon.exe
  • RavmonD.exe
  • RavStub.exe
  • RavTask.exe
  • regedit.exe
  • Rundl132.exe
  • scan32.exe
  • spo0lsv.exe
  • spoclsv.exe
  • sppoolsv.exe
  • SREng.EXE
  • taskmgr.exe
  • TBMon.exe
  • TrojDie.kxp
  • UIHost.exe
  • UpdaterUI.exe
  • VsTskMgr.exe

Terminates the following Services:

  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • FireSvc
  • KPfwSvc
  • KVSrvXP
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MskService
  • navapsvc
  • NPFMntor
  • RsCCenter
  • RsRavMon
  • Schedule
  • sharedaccess
  • SNDSrvc
  • SPBBCSvc
  • Symantec Core LC
  • wscsvc

Deletes the following Registry entries:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE

Disables the show hidden file options in folder options using the following registry:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:
admin$
0
000000
007
1
110111111
111
1111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
1313fish
2002
2003
2112
2600
5150
520
5201314
54321
654321
6969
7777
88888888
901100
a
aaa
abc
abc123
abcd
admin
admin123
Administrator
alpha
asdf
baseball
ccc
computer
database
enable
fuck
fuckyou
god
godblessyou
golf
Guest
harley
home
ihavenopass
letmein
login
love
mustang
mypass
mypass123
mypc
mypc123
owner
pass
passwd
password
patrickpat
pc
pussy
pw
pw123
pwd
qq520
qwer
qwerty
Root
root
server
sex
shadow
super
sybase123qwe
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv

Infects all the EXE, SCR, PIF, COM, htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm and W32/Fujacks.s .

Symptoms

    * Presence of the mentioned file(s) and registry key(s).
    * Unexpected network connections to the mentioned website(s).
    * Executable files increase in size by ~249,856 bytes.
    * HTML files inserted with suspicious IFRAME blocks.

Method of Infection

W32/Fujacks.s is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants