Win32/Fujacks [Threat Name] go to Threat
Win32/Fujacks.S [Threat Variant Name]
|Detection created||Jan 22, 2005|
|Signature database version||979|
Win32/Fujacks.S is a prepending virus . It is able to spread via shared folders and removable media. Size of its executable is approximately 74 kB .
When an infected file is executed, the original program is being dropped into a temporary file and run.
The virus copies itself to the following location:
In order to be executed on every system start, the virus sets the following Registry entry:
- "svcshare" = "%windir%\drivers\spoclsv.exe"
The following Registry entry is set:
- "CheckedValue" = 0
The following Registry entries are deleted:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
The virus copies itself into the root folders of removable drives using the following name:
The following file is created in the same folders:
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Executable file infection
The virus searches for executables on local drives.
Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:
- Common Files
- ComPlus Applications
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- Microsoft Frontpage
- Movie Maker
- MSN Gamin Zone
- Outlook Express
- System Volume Information
- Windows Media Player
- Windows NT
Several other criteria are applied when choosing a file to infect.
The file is prepended to host executables.
The original host executable can be reconstructed when an infected file is run.
The virus searches local and network drives for files with one of the following extensions:
A single line is appended to such files.
This causes a certain URL to be opened when a file is viewed in a browser.
When searching the drives, the virus creates the following file in every folder visited:
The following services are disabled:
The virus tries to download and execute several files from the Internet.