W32/Fujacks.z

This page shows details and results of our analysis on the malware W32/Fujacks.z

Overview

W32/Fujacks.z is a copied variant of the W32/Fujacks worm that infects PE and HTML files and spreads over network shares and removable devices. It might also attempt to download additional malware on the infected machine. This variant may also be detected as W32/Fujacks.gen.


Minimum DAT

4984 (2007-03-14)

Updated DAT

5159 (2007-11-08)

Minimum Engine

5400.1158

File Length

80,384 bytes

Description Added

2007-03-14

Description Modified

2007-03-14

Malware Proliferation

Characteristics

-- Update March 13, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://english.eastday.com/eastday/englishedition/node20676/userobject1ai2680348.html
--

W32/Fujacks.z is a copied variant of the W32/Fujacks worm that infects PE and HTML files and spreads over network shares and removable devices. It might also attempt to download additional malware on the infected machine. This variant may also be detected as W32/Fujacks.gen.

When executed, it scans for filename(s) with the following extensions and prepend itself to PE file(s); or insert a malicious hyperlink to HTML-type files (W32/Fujacks!htm):

  • .exe
  • .scr
  • .pif
  • .com
  • .bat
  • .htm
  • .html
  • .asp
  • .aspx
  • .asa
  • .cdx
  • .cer
  • .php
  • .jsp
  • .inc
  • .js
  • .css

It drops a copy of itself and a DLL with randomized filename(s) into:

  • %Windir%\System32\{random}.dll (W32/Fujacks.dll)
  • %Windir%\System32\{random}.exe (W32/Fujacks.z)

(Where %Windir% is the Windows folder; e.g. C:\Windows)

The DLL is injected and executed in the following running process(es):

  • Explorer.exe
  • Services.exe
  • Winlogon.exe

and a registry key is created to autostart the EXE at bootup time:

  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%Windir%\System32\{Random}.exe"

When finished with these steps, it drops a hardcoded batch file into %Temp%\~Lying!.bAt to delete the original malware file:

@Echo Off
:tRy
DeL {filename} /A
iF ExiSt {filename} gOtO tRy
dEl %0 /A
clS

(Where %Temp% is the temporary folder; e.g. C:\Documents and Settings\{username}\Local Settings\Temp)

The injected DLL continues to scan for and attempts to access shared folders using weak passwords in the local area network. When successful, it can make copies of itself onto these shared folder using one or more of the following filename(s):

  • F??kJacks.exe
  • spoclsv.exe
  • nvsv32.exe
  • svch0st.exe
  • c0nime.exe
  • iexpl0re.exe
  • Rundl132.exe
  • Logo_1.exe
  • Logo1_.exe

These files may have the following icon:

It may also download further malware from the following website(s):

  • hxxp://www.love{blocked}.info/{blocked}.txt

At the time of writing, this URL is unavailable.

 

 

Symptoms

  • Presence of the mentioned file(s) and registry key(s).
  • Presence of files with the mentioned icon.
  • Unexpected network connections to the mentioned website(s).
  • Executable files increase in size by ~80,384 bytes.
  • HTML files inserted with suspicious IFRAME blocks.

 

 

 

Method of Infection

W32/Fujacks.z is a parasitic file infector that can spread over network drives and shared folders. It also has a downloader component that installs additional malware on the infected machine.

 

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants