Virus:Win32/Fujacks.D is a prepending virus that infects executable files. It may also spread via removable drives and network shares. It prevents certain security processes from running, modifies Web pages, and may attempt to download a file from a specific site. It also changes certain system settings.
Installation
When run, Virus:Win32/Fujacks.D drops a copy of itself as the following file:
<system folder>\drivers\spoclsv.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It modifies the system registry to ensure that its dropped copy automatically runs when Windows starts:
Adds value: "svcshare"
With data: "<system folder>\drivers\spoclsv.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via...
File Infection
Virus:Win32/Fujacks.D infects executable files with the following extensions in all available drives:
It infects a file by prepending a copy of the virus to the original executable.
Removable Drives
Virus:Win32/Fujacks.D may copy itself as setup.exe in the root directory of removable drives. It also creates the file autorun.inf to automatically run the virus copy whenever the drive is accessed.
Network Shares
Virus:Win32/Fujacks.D scans for computers within the same network. If found, it attempts to copy itself to network shares as <system folder>\GameSetup.exe. To access these shares, it uses the current user name and the following passwords:
000000
007
110
111
1111
111111
11111111
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
1313
2002
2003
2112
2600
5150
520
5201314
54321
654321
6969
7777
88888888
901100
aaa
abc
abc123
abcd
admin
admin123
Administrator
alpha
asdf
baseball
ccc
computer
database
enable
fish
fuck
fuckyou
god
godblessyou
golf
Guest
harley
home
ihavenopass
letmein
login
love
mustang
mypass
mypass123
mypc
mypc123
owner
pass
passwd
password
pat
patrick
pussy
pw123
pwd
qq520
qwer
qwerty
Root
server
sex
shadow
super
sybase
temp
temp123
test
test123
win
xxx
yxcv
zxcv
Payload
Modifies System Settings
Virus:Win32/Fujacks.D changes the way hidden files and folders are displayed:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
It also attempts to stop the sharing of folders by running the following command:
cmd.exe /c net share <share>$ /del /y
where <share> may be any of the shared folders in the system.
Creates Files
Virus:Win32/Fujacks.D creates the file desktop.ini in all folders in all accessible drives except %SystemDrive% and %windir%. This file contains the date of infection of the computer, for example, "2009-4-23".
Lowers System Security
Virus:Win32/Fujacks.D may delete registry keys related to certain security products:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
It closes windows with titles that contain any of the following strings:
IceSword
msctls_statusbar32
NOD32
pjf(ustc)
Symantec AntiVirus
System Repair Engineer
System Safety Monitor
VirusScan
It terminates the following mostly security-related processes:
Logo1_.exe
Logo_1.exe
Mcshield.exe
msconfig.exe
naPrdMgr.exe
regedit.exe
Rundl132.exe
scan32.exe
taskmgr.exe
TBMon.exe
UpdaterUI.exe
VsTskMgr.exe
It stops the following mostly security-related processes:
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
KPfwSvc
McAfeeFramework
McShield
McTaskManager
MskService
navapsvc
NPFMntor
Schedule
sharedaccess
SNDSrvc
SPBBCSvc
Symantec Core LC
wscsvc
Modifies Web Files
Virus:Win32/Fujacks.D may write an Iframe into Web pages found in the computer with the following extensions:
HTM
HTML
ASP
PHP
JSP
ASPX
The Iframe may contain commands to open a certain Web page or download a file from a specific site, without prior knowledge by the user.
Downloads Other Files
Virus:Win32/Fujacks.D attempts to download the file wormks.txt from whboy.net.
Deletes Files
Virus:Win32/Fujacks.D scans for GHO files and deletes them, if found. GHO files are backup files that may be used to restore files or complete hard disks.
Additional Information
Virus:Win32/Fujacks.D adds the following text to the end of an infected executable:
WhBoy<file name> <size>
where <file name> is the original file name with the extension added twice, and <size> is the original file size prior to virus infection. For example, "WhBoyNOTEPAD.EXE.exe 66048".
Analysis by Patrik Vicol