Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Fujacks.O is a worm that spreads via shared folders. The file is run-time compressed using FSG .
Installation
When executed, the worm copies itself into the following location:
  • %system%\drivers\spoclsv.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "svcshare" = "%system%\drivers\spoclsv.exe"
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
    "svcshare" = "%system%\drivers\spoclsv.exe"
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "CheckedValue" = 0
Spreading
The worm copies itself into the root folders of fixed and/or removable drives using the following name:
  • setup.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.



The worm tries to copy itself to the available shared network folders. The following usernames are used:
  • Administrator
  • Guest
  • admin
  • Root
The following passwords are used:
  • 0
  • 000000
  • 007
  • 1
  • 110
If successful the following filename is used:
  • GameSetup.exe
Other information
The worm terminates processes with any of the following strings in the name:
  • Mcshield.exe
  • VsTskMgr.exe
  • naPrdMgr.exe
  • UpdaterUI.exe
  • TBMon.exe
The worm terminates any program that creates a window containing any of the following strings in its name:
  • VirusScan
  • NOD32
  • Symantec AntiVirus
  • Duba
  • Windows L++
The worm alters the behavior of the following processes:
  • Schedule
  • sharedaccess
  • RsCCenter
  • RsRavMon
  • KVWSC
The following files are deleted:
  • *.gho
The worm may delete the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\RavTask]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\KvMonXP]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\kav]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\KAVPersonal50]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run\McAfeeUpdaterUI]
The worm contains a list of (1) URLs. It tries to download a file from the address. The file is then executed.

The worm searches local drives for files with the following file extension:
  • .htm
  • .html
  • .asp
  • .php
  • .jsp
  • .aspx
The worm inserts an IFRAME element with an URL link into the file.

When searching the drives, the worm creates the following file in every folder visited:
  • Desktop_.ini