W32/Fujacks.ah

This page shows details and results of our analysis on the malware W32/Fujacks.ah

Overview

The virus is a Win32/PE file infector with downloading capabilities.


Minimum DAT

5057 (2007-06-20)

Updated DAT

5071 (2007-07-10)

Minimum Engine

5400.1158

File Length

Description Added

2007-06-20

Description Modified

2007-08-22

Malware Proliferation

Characteristics

When started, the malware drops one of its componentes into the folder:

   %%PROGRAM FILES%%\common files\microsoft shared\web folders

After this, it will set the timestamp information of the newly created file to the one of the system's notepad.exe and will save the path to the original infected file into:

   %%WINDOWS FOLDER%%\debug.txt

then it will spawn the dropped component. Such component will proceed in acquiring enough privileges to perform its duties, then it will create a service called "Hello World!". After this, it will spawn an hidden instance of Internet Explorer and copy the file:

   %%SYSTEM FOLDER%%\notepad.exe

as:

   %%WINDOWS FOLDER%%\svchost.exe

and spawn an hidden instance of it.

The two spawned programs are used to perform the actual malicious behaviour: in fact the malware, before termination, will create a remote thread in each program, with different purposes.

The remote thread created in the Internet Explorer process is responsible for downloading an updated version of the malware, along with an additional malware package, that is unpacked and launched by the other thread.

The remote thread created in the notepad/svchost process is used to perform the actual file infection. It will first replace the original infection vector with a clean version of the same file, and then lauch it to trick the user into thinking that everything is normal. After this, it will proceed in unpacking the malware package downloaded by the other thread, and will launch all the resulting malwares. After this, it will start recursing the available drives on the local machine,network and removable devices to find files suitable for infection, and infect them.

Symptoms

  • Existence of service called "Hello World!"
  • Suspect activity on the local machine as the malware infects other executables
  • Suspect activity over the network as the malware downloads the additional malware package
  • Task manager reporting the presence of an internet explorer process, but no internet explorer window is visible

Method of Infection

Running an infected file will directly infect files over local drives, network drives and removable drives.

Removal

Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner such as:

SCAN C: /CLEAN /ALL

Variants