Win32/Fujacks [Threat Name] go to Threat

Win32/Fujacks.O [Threat Variant Name]

Category virus,worm
Size 28833 B
Detection created Jan 03, 2007
Signature database version 1955
Aliases Worm.Win32.Delf.bd (Kaspersky)
  W32.Fujacks.B (Symantec)
  W32/Fujacks.virus (McAfee)
Short description

Win32/Fujacks.O is a worm that spreads via shared folders. The file is run-time compressed using FSG .

Installation

When executed, the worm copies itself into the following location:

  • %system%\­drivers\­spoclsv.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svcshare" = "%system%\­drivers\­spoclsv.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svcshare" = "%system%\­drivers\­spoclsv.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
Spreading

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • setup.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm tries to copy itself to the available shared network folders.


The following usernames are used:

  • Administrator
  • Guest
  • admin
  • Root

The following passwords are used:

  • 0
  • 000000
  • 007
  • 1
  • 110
  • 111
  • 1111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1313
  • 2002
  • 2003
  • 2112
  • 2600
  • 5150
  • 520
  • 5201314
  • 54321
  • 654321
  • 6969
  • 7777
  • 88888888
  • 901100
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • baseball
  • ccc
  • computer
  • database
  • enable
  • fish
  • fuck
  • fuckyou
  • god
  • godblessyou
  • golf
  • harley
  • home
  • ihavenopass
  • letmein
  • login
  • Login
  • love
  • mustang
  • mypass
  • mypass123
  • mypc
  • mypc123
  • owner
  • pass
  • passwd
  • password
  • pat
  • patrick
  • pc
  • pussy
  • pw
  • pw123
  • pwd
  • qq520
  • qwer
  • qwerty
  • root
  • server
  • sex
  • shadow
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv

The following filename is used:

  • GameSetup.exe
Other information

The worm terminates processes with any of the following strings in the name:

  • Mcshield.exe
  • VsTskMgr.exe
  • naPrdMgr.exe
  • UpdaterUI.exe
  • TBMon.exe
  • scan32.exe
  • Ravmond.exe
  • CCenter.exe
  • RavTask.exe
  • Rav.exe
  • Ravmon.exe
  • RavmonD.exe
  • RavStub.exe
  • KVXP.kxp
  • KvMonXP.kxp
  • KVCenter.kxp
  • KVSrvXP.exe
  • KRegEx.exe
  • UIHost.exe
  • TrojDie.kxp
  • FrogAgent.exe
  • KVXP.kxp
  • KvMonXP.kxp
  • KVCenter.kxp
  • KVSrvXP.exe
  • KRegEx.exe
  • UIHost.exe
  • TrojDie.kxp
  • FrogAgent.exe
  • Logo1_.exe
  • Logo_1.exe
  • Rundl132.exe

The worm terminates any program that creates a window containing any of the following strings in its name:

  • VirusScan
  • NOD32
  • Symantec AntiVirus
  • Duba
  • Windows L++
  • esteem procs
  • System Safety Monitor
  • Wrapped gift Killer
  • Winsock Expert
  • pjf(ustc)
  • IceSword

The worm alters the behavior of the following processes:

  • Schedule
  • sharedaccess
  • RsCCenter
  • RsRavMon
  • KVWSC
  • KVSrvXP
  • kavsvc
  • AVP
  • McAfeeFramework
  • McShield
  • McTaskManager
  • navapsvc
  • wscsvc
  • KPfwSvc
  • SNDSrvc
  • ccProxy
  • ccEvtMgr
  • ccSetMgr
  • SPBBCSvc
  • Symantec Core LC
  • NPFMntor
  • MskService
  • FireSvc

The following files are deleted:

  • *.gho

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­RavTask]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­KvMonXP]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­kav]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­KAVPersonal50]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­McAfeeUpdaterUI]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­Network Associates Error Reporting Service]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­ShStatEXE]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­YLive.exe]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­yassistse]

The worm contains a list of (1) URLs. It tries to download a file from the address. The file is then executed.


The worm searches local drives for files with the following file extensions:

  • .htm
  • .html
  • .asp
  • .php
  • .jsp
  • .aspx

The worm inserts a/an IFRAME element with an URL link into the file.


When searching the drives, the worm creates the following file in every folder visited:

  • Desktop_.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.