Malware type: File infector

Aliases: Worm.Win32.Fujack.aa (Kaspersky), W32.Fujacks!inf (Symantec), TR/Delphi.Downloader.Gen (Avira), Mal/Behav-156 (Sophos), Worm:Win32/Emerleox.gen!A (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This file infector is dropped by other malware. It can also be downloaded unknowingly by a user when visiting malicious Web sites.

It searches the affected system for files with certain extensions. It then prepends its code to all of the said files. It creates an infection marker in infected files. It avoids infecting files found inside certain folders.

It enumerates the network shares in the infected system, into which it attempts to drop copies of itself. It uses a list of user names and passwords to access password-protected shares.

This file infector drops a copy of itself in all physical and in all removable drives. It also drops the a file in all the folders it traverses in physical and removable drives. The said file contains the date of infection. It drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed.

It terminates certain services if found on the system. It also terminates processes that contain certain strings, if found running in memory.

This file infector connects to a possibly malicious URL.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 9, 2008 10:06:50 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.