Fujacks fixtool fixes "jack"

Following the arrest of Jun Li (creator ofthe W32.Fujacks or "Panda" worm) by the Hubei Police on February 3rd,the police promised to make an example of the virus author. To thatend, the police announced in early February that they were going tohave the virus creator write a program to remove this virus and repairthe damage done by it.

On March 27th we obtained a copy of the removal tool created by Li.Naturally we were curious about the effectiveness of the tool againstthe variants of the threat that were found in the wild.

When the tool is executed, the user is presented with a message from Li himself:

The message contains an apology and an explanation that he createdthe worm for research. He ends with a warning to beware of futurethreats (from others), and to take the necessary precautions. Li alsoacknowledges that his tool may not work as well as professional toolsprovided by security vendors.

To find out how good (or bad) the tool is, we ran a battery of testsagainst samples we had and the results made for a sobering read:

Note:
"Partially effective" means that the tool managed to remove some of thesystem changes made by Fujacks, but many still remained. For example,in many of the tests the tool left behind registry keys created by theworm and failed to clean files that were infected by Fujacks.

What we can tell from our tests is that this removal tool is noteffective against most of the samples we have tested against and isn'tfully effective against any of them. For Li, perhaps he may havelearned the hard way that this sort of activity does not pay. He hasfound out, to his cost, that it is much easier to write a program tocause destruction than it is to repair the damage.

Update:
We have published a whitepaper by Robert X Wang called The Panda Outlaw: W32.Fujacks.This paper discusses the authors of the worm, their motivations, thetechnical details, and the subsequent events since the release of theworm.