W32.Fujacks.CA

17 June 2009 Worm 3 Comments

W32.Fujacks.CA is a computer worm that may spread through unsecured network shared resources. It targets executable files on the compromised computer to spread locally.

Alias: Trojan.Pakes!sd6, Trojan.Win32.Pakes.nkm, W32/Fujacks.aw, PE_FUJACKS.DE-O, Mal/Packer, Trojan:Win32/Pakes.K, Packed.Win32.Klone, Win-Trojan/Pakes.82439

Damage Level: Low

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
Upon execution of W32.Fujacks.CA, it copies itself to Drivers folder of system drive. Then, it breaches the mapping of IP addresses by deleting the Windows Hosts file.

To run the worm every time Windows starts, it may register a new service with the following information:
Service name: DMusic
Image path: %System%\drivers\JM.SYS
Startup Type: Automatic

The virus frequently connects to remote locations to download and execute additional malware.

Distribution
W32.Fujacks.CA spreads by searching executable files on the affected computer and append them with own malicious code. Infected files may function normally; however, every execution multiplies and spread the virus. On a network environment, this virus will spread by brute forcing itself to any Admin shared resources using a combination of user name and passwords.

Added Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\"Explorer" = "%System%\drivers\TXP1atform.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ DMusic\"ImagePath" = "%System%\drivers\JM.SYS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\"Debugger" = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\360hotfix.exe\"Debugger" = "nstd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\360rpt.exe\"Debugger" = "nstd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\360safe.exe\"Debugger" = "nstd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\360safebox.exe\"Debugger" = "nstd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\360tray.exe\"Debugger" = "nstd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\agentsvr.exe\"Debugger" = "nstd -d"

Associated Files and Folders:

%System%\drivers\TXP1atform.exe
%System%\drivers\JM.SYS
%CommonProgramFiles%\Desktop_1.ini (clean file)
%CommonProgramFiles%\Desktop_2.ini (clean file)

1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.

3. Find and stop the service
- Click Start > Run.
- Type services.msc, and then click OK.
- Locate and select the service that was detected.

Service name: DMusic
Image path: %System%\drivers\JM.SYS
Startup Type: Automatic

- Click Action > Properties.
- Click Stop.
- Change Startup Type to Manual.
- Click OK and close the Services window.

4. Restart Windows in SafeMode [how to]
5. Run a full system scan and clean/delete all infected file(s)
6. Delete/Modify any values added to the registry. [how to edit registry]
Please refer to "Added Registry Entries"

7. Exit registry editor and restart Windows.
8. In order to make sure that threat is completely eliminated, carry out a full scan of your system using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.