W32/Fujacks.ac

This page shows details and results of our analysis on the malware W32/Fujacks.ac

Overview

W32/Fujacks.ac is a variant of the W32/Fujacks virus that infects PE and possibly HTML files with malicious hyperlinks. It spreads via floppy drives and other removable devices. It also contains downloader functionality to further download and install additional malware on the infected machine.


Minimum Engine

5600.1067

File Length

34,824 bytes

Description Added

2007-04-19

Description Modified

2007-04-29

Malware Proliferation

Characteristics

W32/Fujacks.ac is a variant of the W32/Fujacks virus that infects PE and possibly HTML files with malicious hyperlinks. It spreads via floppy drives and other removable devices. It also contains downloader functionality to further download and install additional malware on the infected machine.

Upon execution, it creates the following files in the location:

C:\Program Files\Common Files\System\directdb.exe   --> Generic Downloader.ab
C:\Program Files\Common Files\System\wab32res.exe --> W32/Fujacks.ac

Creates the following auto start entry to launch itself at windows startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"EXPLORER" = "C:\Program Files\Common Files\System\wab32res.exe..."

Creates a mutex to ensure that only one instance of the virus can run on an infected computer at any time.

  • Hello Dolly

Injects itself into Notepad.exe and Iexplore.exe, so that the virus runs whenever Notepad or Internet Explorer applications are executed.

Downloads further malware from the following domains:

  • v8.cnzz.com
  • w1.love9g.com

Note: At the time of writing this description variants of the PWS-LegMir trojan were being downloaded.

Symptoms

Existing Windows PE executable files grow in length of 34,824 bytes.

Unexpected network traffic to one or more of the following domains:

  • w1.love9g.com
  • v8.cnzz.com

Method of Infection

W32/Fujacks.ac is parasitic file infector virus that searches and infects Windows Portable Executable (PE) files that typically have the .EXE file extension. Parasitically infected files increasing in size by 34,824 bytes.

The virus may also infect files with the following file extensions. These infected files are detected as W32/Fujacks!htm.

  • .asp
  • .aspx
  • .jsp
  • .htm
  • .html
  • .php

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants