W32.Fujacks.CB
W32.Fujacks.CB is a USB removable drive-spreading worm that also drops autorun.inf file on infected drives to run the worm when the drive is accessed. W32.Fujacks.CB may also propagate on unsecured network drives by creating a copy of itself on target drives.
Alias: W32/Fujacks.ay (McAfee), PE_NEWT.A (Trend Micro), Virus.Win32.Kate.a (Kaspersky Lab), Net-Worm.Fujacks (PCTools), W32/Newt-A (Sophos), Virus:Win32/Viking.ND (Microsoft), Win32/Kate (AhnLab)
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When W32.Fujacks.CB executes, it will drop a couple of files under System Folder of Windows.
Then, it creates a service for associated DLL file with the following registry entries:
Adds value: “DisplayName”
With data: “6to4″
To subkey: HKLM\SYSTEM\ControlSet\Services\6to4
Once it successfully executes the routine, W32.Fujacks.CB will delete its copy to leave no visible mark of the infection. The worm also deletes any existing entries on Windows hosts file.
Distribution
W32.Fujacks.CB may spread on removable drive by creating a copy of the worm and an autorun.inf file, which will execute the infection when the drive is accessed as long as Autoplay function is enabled on the compromised computer.
The worm also propagates through network-shared drives. It enters the network via brute force method using a set of user name and password from its list. After penetrating the network, W32.Fujacks.CB it will drop a copy to another PC and allows automatic execution by creating a scheduled job.
Added Registry Entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\"0" = "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
Associated Files and Folders:
%System%\dllcache\systembox.bak
%System%\update.dll
%System%\Drivers\recycle.{645ff040-5081-101b-9f08-00aa002f954e}\ghost.exe
C:\bootfont.exe
%System%\6to4.dll
%System%\dllcache\6to4.dll
%System%\drivers\WmiSvc.sys
How to Remove W32.Fujacks.CB
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Fujacks.CB, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like W32.Fujacks.CB. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.