July 07, 2007

FUJACKS-Virus

Fujacks creates the following files in all drives:

* autorun.inf
* setup.exe

Creates Destop_.ini in all folders.

Adds the following values to the registry to auto start itself when
Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
"svcshare" = "%SYSTEM%\drivers\spoclsv.exe"

Terminates processes containing strings:

* VirusScan
* NOD32
* Symantec AntiVirus
* Duba
* esteem procs
* System Safety Monitor
* Wrapped gift Killer
* Winsock Expert
* msctls_statusbar32
* pjf(ustc)
* IceSword

Terminates the following processes:

* Mcshield.exe
* VsTskMgr.exe
* naPrdMgr.exe
* UpdaterUI.exe
* TBMon.exe
* scan32.exe
* Ravmond.exe
* CCenter.exe
* RavTask.exe
* Rav.exe
* Ravmon.exe
* RavmonD.exe
* RavStub.exe
* KVXP.kxp
* KvMonXP.kxp
* KVCenter.kxp
* KVSrvXP.exe
* KRegEx.exe
* UIHost.exe
* TrojDie.kxp
* FrogAgent.exe
* Logo1_.exe
* Logo_1.exe
* Rundl132.exe

Terminates the following Services:

* KVWSC
* KVSrvXP
* kavsvc
* AVP
* McAfeeFramework
* McShield
* McTaskManager
* McAfeeFramework
* navapsvc
* wscsvc
* KPfwSvc
* SNDSrvc
* ccProxy
* ccEvtMgr
* ccSetMgr
* SPBBCSvc
* Symantec Core LC
* Schedule
* sharedaccess
* RsCCenter
* RsRavMon
* NPFMntor
* MskService
* FireSvc

Deletes the following Registry entries:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ShStatEXE

Disables the show hidden file options in folder options
using the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:

* admin$
* 1234
* password
* 6969
* harley
* 123456
* golf
* pussy
* mustang
* 1111
* shadow
* 1313
* fish
* 5150
* 7777
* qwerty
* baseball
* 2112
* letmein
* 12345678
* 12345
* ccc
* admin
* 5201314
* qq520
* 123
* 1234567
* 123456789
* 654321
* 54321
* 111
* 000000
* abc
* 11111111
* 88888888
* pass
* passwd
* database
* abcd
* abc123
* sybase
* 123qwe
* server
* computer
* 520
* super
* 123asd
* ihavenopass
* godblessyou
* enable
* 2002
* 2003
* 2600
* alpha
* 110
* 111111
* 121212
* 123123
* 1234qwer
* 123abc
* 007
* aaa
* patrick
* pat
* administrator
* root
* sex
* god
* fuckyou
* fuck
* test
* test123
* temp
* temp123
* win
* asdf
* pwd
* qwer
* yxcv
* zxcv
* home
* xxx
* owner
* login
* Login
* pw123
* love
* mypc
* mypc123
* admin123
* mypass
* mypass123
* 901100
* Administrator
* Guest
* admin
* Root

Deletes files with .gho extensions from local partitions
except c drive.

Infects all the htm, html, asp, php, jsp, aspx files.

No comments: