Win32/Fujacks [Threat Name] go to Threat
Win32/Fujacks.S [Threat Variant Name]
Category | virus |
Aliases | Worm.Win32.Fujack.g (Kaspersky) |
W32/Fujacks.l (McAfee) | |
W32.Fujacks.E (Symantec) |
Short description
Win32/Fujacks.S is a prepending virus . It is able to spread via shared folders and removable media. Size of its executable is approximately 74 kB .
Installation
When an infected file is executed, the original program is being dropped into a temporary file and run.
The virus copies itself to the following location:
- %windir%\drivers\spoclsv.exe
In order to be executed on every system start, the virus sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "svcshare" = "%windir%\drivers\spoclsv.exe"
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
- "CheckedValue" = 0
The following Registry entries are deleted:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
Spreading
The virus copies itself into the root folders of removable drives using the following name:
- setup.exe
The following file is created in the same folders:
- autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Executable file infection
The virus searches for executables on local drives.
Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:
- Common Files
- ComPlus Applications
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- Messenger
- Microsoft Frontpage
- Movie Maker
- MSN
- MSN Gamin Zone
- NetMeeting
- Outlook Express
- Recycled
- System Volume Information
- system32
- WINDOWS
- Windows Media Player
- Windows NT
- WindowsUpdate
- WINNT
Several other criteria are applied when choosing a file to infect.
The file is prepended to host executables.
The original host executable can be reconstructed when an infected file is run.
Other information
The virus searches local and network drives for files with one of the following extensions:
- ASP
- ASPX
- HTM
- HTML
- JSP
- PHP
A single line is appended to such files.
This causes a certain URL to be opened when a file is viewed in a browser.
When searching the drives, the virus creates the following file in every folder visited:
- Desktop_.ini
The following services are disabled:
- AVP
- ccEvtMgr
- ccProxy
- ccSetMgr
- FireSvc
- kavsvc
- KPfwSvc
- KVSrvXP
- KVWSC
- McAfeeFramework
- McShield
- McTaskManager
- MskService
- navapsvc
- NPFMntor
- RsCCenter
- RsRavMon
- sharedaccess
- schedule
- SNDSrvc
- SPBBCSvc
- Symantec
- wscsvc
The virus tries to download and execute several files from the Internet.