W32.Fujacks.A

Printer Friendly Page

Discovered: November 14, 2006
Updated: November 14, 2006 4:10:39 PM
Type: Worm
Systems Affected: Windows

W32.Fujacks.A is a worm that spreads through network shares protected by weak passwords. It also copies itself to the root drive of all partitions and infects all .exe files found on the local computer. The worm ends some security-related processes and services.

Antivirus Protection Dates

  • Initial Rapid Release version November 15, 2006
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version November 15, 2006
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date November 15, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: John Canavan

Discovered: November 14, 2006
Updated: November 14, 2006 4:10:39 PM
Type: Worm
Systems Affected: Windows

W32.Fujacks.A is a worm that spreads through network shares protected by weak passwords. It also copies itself to the root drive of all partitions and infects all .exe files found on the local computer. The worm ends some security-related processes and services.

When the worm executes, it creates the following files:
%System%\Fuckjacks.exe
[PARTITION ROOT]\setup.exe
[PARTITION ROOT]\autorun.inf
[NETWORK SHARE ROOT]\GameSetup.exe

Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"svohost" = "FuckJacks.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Fuckjacks" = "FuckJacks.exe"

The worm may delete some registry entries containing the following strings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"kav"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"KAVPersonal50"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"KvMonXP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"McAfeeUpdaterUI"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\"Network Associates Error Reporting Service"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RavTask"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ShStatEXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"yassistse"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"YLive.exe"

The worm may delete files with the following extensions from the root directory local partitions except the C drive:
.gho
.exe
.scr
.pif
.com

The worm then uses the following password list in attempt to copy itself to network shares:
admin$
1234
password
6969
harley
123456
golf
pussy
mustang
1111
shadow
1313
fish
5150
7777
qwerty
baseball
2112
letmein
12345678
12345
ccc
admin
5201314
qq520
123
1234567
123456789
654321
54321
111
000000
abc
11111111
88888888
pass
passwd
database
abcd
abc123
sybase
123qwe
server
computer
520
super
123asd
ihavenopass
godblessyou
enable
2002
2003
2600
alpha
110
111111
121212
123123
1234qwer
123abc
007
aaa
patrick
pat
administrator
root
sex
god
foobar
secret
test
test123
temp
temp123
win
asdf
pwd
qwer
yxcv
zxcv
home
xxx
owner
login
Login
pw123
love
mypc
mypc123
admin123
mypass
mypass123
901100
Administrator
Guest
admin
Root

Next, the worm ends all processes that contain the following strings in the title of the window:
QQKav
QQAV
VirusScan
Symantec AntiVirus
iDuba
esteem procs
Wrapped gift Killer
Winsock Expert
msctls_statusbar32
pjf(ustc)
IceSword

The worm also ends the following processes:
Mcshield.exe
VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl123.exe

Then the worm may end the following services, some of which may be security-related:
Schedule
sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
KVWSC
KVSrvXP
kavsvc
AVP
AVP
kavsvc
McAfeeFramework
McShield
McTaskManager
McAfeeFramework
McShield
McTaskManager
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: John Canavan