Virus – Win32 – Fujacks - e
1. Summary:
Fujack is a virus which infects all executables (*.exe) which can be found on the local hard drives. It also infects all the executables found within the shared folders.
Alias names:
F-Secure: Fujack.K
NOD32: Win32/Fujacks
Symantec: W32.Fujacks.E
2. Detailed description:
After first execution, the Fujacks creates in the %SYSTEM%\Drivers\ folder a copy of itself named
„spoclsv.exe“ and ensures it's execution by writing an entry into the „run“ registry key.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svcshare" = "%System%\Drivers\spoclsv.exe"
%SYSTEM% variable points to the system directory of windows. It's location depends on installed windows version. On WindowsXP \WINDOWS\SYSTEM32\, on Windows 2000 \WINNT\SYSTEM32\.
Fujacks searches for entries in the run registry key and removes them if they include following strings:
kav
KAVPersonal50
KvMonXP
McAfeeUpdaterUI
Network Associates Error Reporting Service
RavTask
ShStatEXE
yassistse
YLive.exe
This ensures that the programs won't get executed after the computer starts.
It also modifies the key „CheckedValue“ inthe key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\Shawall]
"CheckedValue" = "0"
Virus actively defends itself and terminates all the windows including following strings:
Symantec AntiVirus
System Safety Monitor
System Repair Engineer
VirusScan
Winsock Expert
Wrapped gift Killer
It also terminates numerous processes which could pose some difficulties for it. Some of the include:
CCenter.exe
KVSrvXP.exe
Msconfig.exe
Ravmon.exe
Regedit.exe
Rundl132.exe
scan32.exe
taskmgr.exe
TBMon.exe
This is not all it does. It also stops several security related services:
AVP
kavsvc
KPfwSvc
KVSrvXP
McAfeeFramework
McShield
navapsvc
RsCCenter
RsRavMon
Symantec Core LC
Fujacks searches all the hard and removable drives connected to the local computer for files with .gho extension and removes them. These files are „Ghost Disk“ images.
Executables which get infected are:
*.com
*.exe
*.pif
*.scr
To ensure it's not going to infect an already infected file ,it creates a „Desktop_.ini“ mark file within every folder it has already infected.
If Fujacks finds a shared folder, it copies it's body under the name „GameSetup.exe“. If the share is password protected , Fujacks tries to guess the password. It tries only a short subset of easy and frequently used passwords:
123
root
administrator
admin
abcd
qwerty
love
owner
Fujacks is also capable of downloading a file from the internet and execute it. This widens the capabilities of the virus immensely, because the downloaded file can be named and capable of doing anything.
3. Cleaning:
Fujacks is a infector which infects all the executables. Therefor it is not possible to do a manual cleaning. I recommend using antivirus to remove the infection.
If you do not own an antivirus, you can use the kaspersky online virus scanner
If your computer has not yet been infected, you can prevent the infection by creating the „Desktop_.ini“ file in every folder you wish to protect. This causes the virus to think it has already infected all the files within the folder.
0 writebacks [03/04/2007 09:11]
[]
permanent link
|
Trojan Horse – Win32 – Fuclip
1. Summary:
Fuclip is a 30kB sized trojan horse which get spread using infected emails. It serves as a backdoor with abilities to delete any file on the hard drive, any registry keys and stop a process or a service.
Aliase names:
Kaspersky: Email-Worm.Win32.Bagle.gt
McAfee: W32/Bagle.gen
NOD32: Win32/Fuclip
Symantec: Trojan.Tooso!gen
2. Detailed description:
After execution the trojan horse creates following files in the system directory (%SYSTEM%):
peers.ini
wincom32.sys
and registers itself as a service under the name “wincom32”.
Alternative for the system directory under different versions of windows are:
WindowsXP \WINDOWS\SYSTEM32\
Windows 2000 \WINNT\SYSTEM32\
It is possible to remotely control the trojan horse. It can even download and run a file from the Internet.
For the masking purposes it uses a „rootkit“ technique.
This means that it throughoutly hides within the system and can avoid detection even by a professional.
3. Email messages:
There are several variants of the email message.
The subject of the message is chose from following names:
230 dead as storm batters Europe
British Muslims Genocide
Fidel Castro dead.
Hugo Chavez dead
Radical Muslim drinking enemies' blood
Sadam Hussein alive!.
Sadam Hussein safe and sound!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Infected email has a executable attached, which contains the body of the trojan horse. The attachement name can be one of the:
Full Clip.exe
Full Story.exe
Full Video.exe
Postcard.exe
Greeting Card.exe
Greeting Postcard.exe
Read More.exe
Video.exe
4. Cleaning:
stop the „wincom32“ service using service manager (START-> Settings -> Control Panel -> Administrative Tools -> Services)
Erase the file „wincom32.sys“ from the system directory (%SYSTEM%)
Erase the file „peers.ini“ from the system directory (%SYSTEM%).
If you are unsure if „something evil“ is running on your computer which hides itself,I recommend to use the utility „Rootkit Revealer“, which will show even the hidden processes (mentioned „rootkit technique“).
You can download it from:http://download.sysinternals.com/Files/RootkitRevealer.zip
0 writebacks [03/04/2007 09:11]
[]
permanent link
|
