Malware type: File infector

Aliases: Trojan-PSW.Win32.QQRob.kl (Kaspersky), W32.Fujacks.B (Symantec), TR/Dldr.Delphi.Gen (Avira), W32/Fujacks-E (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

This file infector usually arrives on a system as a file downloaded by unsuspecting users while visiting Web sites. Upon execution, it drops a copy of itself as SPOCLSV.EXE in the DRIVERS folder, which is found in the Windows system folder.

This file infector searches an affected system for files with certain extension names and appends its codes to all files it finds. The said infected files are detected by Trend Micro as PE_FUJACKS.F and HTML_FUJACKS.E.

This file infector drops copies of itself in the root folder (usually C:\), physical drives, and removable drives. It also drops the file DESKTOP_.INI, which serves as an infection marker in all folders that it traverses. The said .INI file contains the affected system's date of infection.

It enumerates the network shares in the infected system, into which it attempts to drop copies of itself. If the shares are password-protected, it uses a list of user names and passwords to gain access and propagate.

It may also spread copies of itself via popular instant messaging applications, such as Yahoo! Messenger and MSN Messenger.

It enables Hidden and System folders to be Hidden.

In addition, it terminates security and malware-related processes.

It connects to a certain URL in an attempt to download the file WORM.TXT, which contains other URLs that it tries to connect to. Note that the URLs contained in the said .TXT file may change from time to time depending on the uploaded file. As of this writing, however, the mentioned URL is unavailable.

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 20, 2006 8:14:25 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.