Click to zoom in on my visitor map!
Create your free world visitor maps

Wednesday, February 7, 2007

W32.Fujacks.D

Last week I got warning on my computer screen about W32.Fujacks.D. It was said that this type of virus is very dangerous, so I tried to find some informations about this virus on internet..

The list below are some informations about W32.Fujacks.D :
  • W32/Fujacks.D is a prepending virus and worm with backdoor functionality for the Windows platform.

  • It spreads to other network computers through available network shares and removeable storage devices.

  • It also runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

  • Beside that W32.Fujacks.D includes functionality to access the internet and communicate with a remote server via HTTP.

  • The terrible thing is W32.Fujacks.D may change HTML files.

  • When first run W32.Fujacks.D copies itself to \drivers\spoclsv.exe.

    The following registry entry is created to run spoclsv.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    svcshare
    \drivers\spoclsv.exe.

  • The following registry entry is set: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced\Folder\Hidden\SHOWALL
    CheckedValue
    0

  • W32.Fujacks.D searches for EXE files in attempt to infect them and creates Desktop_.ini file every time when succeed. This file may be safely deleted.
  • W32/Fujacks-D includes functionality to delete shares including the Admin$ share.

  • May delete entries that contain the following strings:

    "kav"
    "KAVPersonal50"
    "KvMonXP"
    "McAfeeUpdaterUI"
    "Network Associates Error Reporting Service"
    "RavTask"
    "ShStatEXE"
    "yassistse"
    "YLive.exe"

    from the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • May delete files with the following extensions from the root folder of local partitions, except the C drive:

    * .gho
    * .exe
    * .scr
    * .pif
    * .com

  • Ends all processes in windows that contain the following strings in the title:

    * QQKav
    * QQAV
    * VirusScan
    * Symantec AntiVirus
    * iDuba
    * esteem procs
    * Wrapped gift Killer
    * Winsock Expert
    * msctls_statusbar32
    * pjf(ustc)
    * IceSword
For virus removal :
If you use sophos antivirus click here
If you use symantec antivirus click here

Next...