Win32/Fujacks [Threat Name] go to Threat

Win32/Fujacks.S [Threat Variant Name]

Category virus
Detection created Jan 22, 2005
Signature database version 979
Aliases Worm.Win32.Fujack.g (Kaspersky)
  W32/Fujacks.l (McAfee)
  W32.Fujacks.E (Symantec)
Short description

Win32/Fujacks.S is a prepending virus . It is able to spread via shared folders and removable media. Size of its executable is approximately 74 kB .

Installation

When an infected file is executed, the original program is being dropped into a temporary file and run.


The virus copies itself to the following location:

  • %windir%\­drivers\­spoclsv.exe

In order to be executed on every system start, the virus sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svcshare" = "%windir%\­drivers\­spoclsv.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0

The following Registry entries are deleted:

  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­RavTask
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­KvMonXP
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­kav
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­KAVPersonal50
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­McAfeeUpdaterUI
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­Network Associates Error Reporting Service
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­ShStatEXE
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­YLive.exe
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­yassistse
Spreading

The virus copies itself into the root folders of removable drives using the following name:

  • setup.exe

The following file is created in the same folders:

  • autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Executable file infection

The virus searches for executables on local drives.


Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

  • Common Files
  • ComPlus Applications
  • Documents and Settings
  • InstallShield Installation Information
  • Internet Explorer
  • Messenger
  • Microsoft Frontpage
  • Movie Maker
  • MSN
  • MSN Gamin Zone
  • NetMeeting
  • Outlook Express
  • Recycled
  • System Volume Information
  • system32
  • WINDOWS
  • Windows Media Player
  • Windows NT
  • WindowsUpdate
  • WINNT

Several other criteria are applied when choosing a file to infect.


The file is prepended to host executables.


The original host executable can be reconstructed when an infected file is run.

Other information

The virus searches local and network drives for files with one of the following extensions:

  • ASP
  • ASPX
  • HTM
  • HTML
  • JSP
  • PHP

A single line is appended to such files.


This causes a certain URL to be opened when a file is viewed in a browser.


When searching the drives, the virus creates the following file in every folder visited:

  • Desktop_.ini

The following services are disabled:

  • AVP
  • ccEvtMgr
  • ccProxy
  • ccSetMgr
  • FireSvc
  • kavsvc
  • KPfwSvc
  • KVSrvXP
  • KVWSC
  • McAfeeFramework
  • McShield
  • McTaskManager
  • MskService
  • navapsvc
  • NPFMntor
  • RsCCenter
  • RsRavMon
  • sharedaccess
  • schedule
  • SNDSrvc
  • SPBBCSvc
  • Symantec
  • wscsvc

The virus tries to download and execute several files from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.