Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:26/02/2007
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:28.833 Bytes
MD5 checksum:916ede7e54c83f11f0f99f7e53178a3b
IVDF version: - Monday, February 26, 2007

 General Methods of propagation:
   • Local network
   • Mapped network drives

   •  Mcafee: W32/Fujacks
   •  Kaspersky:
   •  F-Secure:
   •  Sophos: W32/Fujacks-AU
   •  Grisoft: Worm/Delf.AEP
   •  Eset: Win32/Fujacks.O
   •  Bitdefender: Win32.Worm.Fujacks.J

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads files
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\drivers\spoclsv.exe
   • %drive%\setup.exe

Sections are added to the following files.
– To: %all directories%\*.htm With the following contents:
   • iframe src=********** width=0 height=0 /iframe

This renames a file after system reboot.
– To: %all directories%\*.html With the following contents:
   • iframe src=********** width=0 height=0 /iframe

– To: %all directories%\*.asp With the following contents:
   • iframe src=********** width=0 height=0 /iframe

– To: %all directories%\*.php With the following contents:
   • iframe src=********** width=0 height=0 /iframe

– To: %all directories%\*.jsp With the following contents:
   • iframe src=********** width=0 height=0 /iframe

– To: %all directories%\*.aspx With the following contents:
   • iframe src=********** width=0 height=0 /iframe

The following files are created:

%all directories%\Desktop_.ini This is a non malicious text file with the following content:
   • %current date%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download a file:

– The location is the following:
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • %SYSDIR%\drivers\spoclsv.exe

The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • RavTask
   • KvMonXP
   • kav
   • KAVPersonal50
   • McAfeeUpdaterUI
   • Network Associates Error Reporting Service
   • ShStatEXE
   • YLive.exe
   • yassistse

The following registry key is changed:

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Old value:
   • CheckedValue = %user defined settings%
   New value:
   • CheckedValue = 0

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • Administrator
   • Guest
   • admin
   • Root

– The following list of passwords:
   • 1234; password; 6969; harley; 123456; golf; pussy; mustang; 1111;
      shadow; 1313; fish; 5150; 7777; qwerty; baseball; 2112; letmein;
      12345678; 12345; ccc; admin; 5201314; qq520; 123; 1234567; 123456789;
      654321; 54321; 111; 000000; abc; 11111111; 88888888; pass; passwd;
      database; abcd; abc123; sybase; 123qwe; server; computer; 520; super;
      123asd; ihavenopass; godblessyou; enable; 2002; 2003; 2600; alpha;
      110; 111111; 121212; 123123; 1234qwer; 123abc; 007; aaa; patrick; pat;
      administrator; root; sex; god; fuckyou; fuck; test; test123; temp;
      temp123; win; asdf; pwd; qwer; yxcv; zxcv; home; xxx; owner; login;
      Login; pw123; love; mypc; mypc123; admin123; mypass; mypass123; 901100

IP address generation:
It creates random IP addresses while it keeps the first three octets from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
The downloaded file is stored on the compromised machine as: %all shared folders%\GameSetup.exe

Slow down:
– It creates the following number of infection threads: 9
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also note a slight slow down due to the multiple network threads created.

 Process termination List of processes that are terminated:
   • Mcshield.exe; VsTskMgr.exe; naPrdMgr.exe; UpdaterUI.exe; TBMon.exe;
      scan32.exe; Ravmond.exe; CCenter.exe; RavTask.exe; Rav.exe;
      Ravmon.exe; RavmonD.exe; RavStub.exe; KVXP.kxp; KvMonXP.kxp;
      KVCenter.kxp; KVSrvXP.exe; KRegEx.exe; UIHost.exe; TrojDie.kxp;
      FrogAgent.exe; Logo1_.exe; Logo_1.exe; Rundl132.exe

Processes containing one of the following window titles are terminated:
   • Symantec AntiVirus
   • Duba
   • Windows
   • esteem procs
   • System Safety Monitor
   • Wrapped gift Killer
   • Winsock Expert

List of services that are disabled:
   • sharedaccess; RsCCenter; RsRavMon; RsCCenter; RsRavMon; KVWSC;
      KVSrvXP; KVWSC; KVSrvXP; AVP; kavsvc; McAfeeFramework; McShield;
      McTaskManager; McAfeeFramework; McShield; McTaskManager; navapsvc;
      wscsvc; KPfwSvc; SNDSrvc; ccProxy; ccEvtMgr; ccSetMgr; SPBBCSvc;
      Symantec Core LC; NPFMntor; MskService; FireSvc

 File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

설명 삽입자 Andrei Gherman   2008년 6월 19일 목요일
설명 업데이트 Andrei Gherman   2008년 6월 19일 목요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.