W32/Fujacks.ab

This page shows details and results of our analysis on the malware W32/Fujacks.ab

Overview

W32/Fujacks.ab is a worm that infects PE executable files and spreads over network shares and removable devices. It also infects web pages by inserting malicious hyperlinkspointing to Windows ANI exploit. It might also attempt to download additional malware on the infected machine.



Minimum DAT

5004 (2007-04-09)

Updated DAT

5327 (2008-06-27)

Minimum Engine

5400.1158

File Length

varies

Description Added

2007-04-07

Description Modified

2007-04-07

Malware Proliferation

Characteristics


W32/Fujacks.ab is worm that infects .exe files and spreads over network shares and removable devices. It also infects web pages by inserting malicious hyperlinks of Windows ANI exploit.

Upon execution, the worm creates a copy of itself as \%system%\Death.exe and drops the following files which are detected as Tool-PassList and Generic Downloader trojans.

    • \%system%\Supervise.exe
    • \%root%\pass.dic

Malicious hyperlinks are appended to web pages, which eventually point to these site(s) containing the exploit:

    • http://1.520sb.cn/[HIDDEN]

More information of the Windows ANI vulnerability at:

It creates the following registry key to start itself at boot up time:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Death.exe\"\%system%\Death.exe"

Terminates processes containing strings:

    • Symantec AntiVirus
    • KV2006
    • RavMon.exe
    • ZoneAlarm
    • VirusScan
    • Symantec AntiVirus
    • Wrapped gift Killer
    • IceSword

Terminates the following processes:

    • EGHOST.EXE
    • MAILMON.EXE
    • KAVPFW.EXE
    • IPARMOR.EXE
    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPM.EXE
    • AVP.EXE
    • NAVAPW32.EXE
    • NAVW32.EXE
    • nod32kui.exe
    • nod32kru.exe
    • PFW.exe
    • Kfw.exe
    • KAVPFW.exe
    • vsmon.exe
    • Mcshield.exe
    • VsTskMgr.exe
    • naPrdMgr.exe
    • UpdaterUI.exe
    • TBMon.exe
    • scan32.exe
    • Ravmond.exe
    • CCenter.exe
    • RavTask.exe
    • Rav.exe
    • Ravmon.exe
    • RavmonD.exe
    • RavStub.exe
    • KVXP.kxp
    • KvMonXP.kxp
    • KVCenter.kxp
    • KVSrvXP.exe
    • KRegEx.exe
    • UIHost.exe
    • TrojDie.kxp
    • FrogAgent.exe
    • Logo1_.exe
    • Logo_1.exe
    • Rundl132.exe
    • runiep.exe

It may to copy itself to network shares using passwords enlisted in pass.dic which it drops.

It might also attempt to download other malware such as password stealing trojans onthe compromisedmachine from

    • http://risb520.3322.org/gow/[REMOVED]



Symptoms

  • Presence of files and registry entriesas mentioned
  • Increase in size of executable files
  • Network activity as mentioned
  • Web pages inserted with suspicious IFRAME blocks

Method of Infection

W32/Fujacks.ab is a parasitic file infector that can spread over network drives and shared
folders. It may also infect web pages to point to ANI exploit and download newer variants. It also has a downloader component that installs additional malware on the infected machine.

W32/Fujacks.ab is also known to to be downloaded by exploits hosted by the web page(s) at the following location(s) which are detected as Exploit-ObscuredHtml and JS/Exploit-BO.gen

    • http://1.520sb.cn/mm


Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants