The W32/Fujacks.s attempts to infect files on the victim's system and tries to download additional trojans from a remote website.

Upon execution, the worm drops a copy of itself in %SYSTEM%\drivers folder as spoclsv.exe and executes from there.

Creates the following files in all drives:
setup.exe
autorun.inf

Creates Desktop__.ini in all folders.

Adds the following values to the registry to auto start itself when Windows starts:
Software\Microsoft\Windows\CurrentVersion\Run
"nvscv32" = "%SYSTEM%\drivers\ncscv32.exe"

Terminates processes containing strings:

• VirusScan
• Symantec AntiVirus
• System Safety Monitor
• System Repair Engineer
• Wrapped gift Killer

Terminates the following processes:

• CCenter.exe
• FrogAgent.exe
• KRegEx.exe
• KVCenter.kxp
• KvMonXP.kxp
• KVSrvXP.exe
• KVXP.kxp
• Logo1_.exe
• Logo_1.exe
• Mcshield.exe
• msconfig.exe
• naPrdMgr.exe
• nvscv32.exe
• Rav.exe
• Ravmon.exe
• RavmonD.exe
• RavStub.exe
• RavTask.exe
• regedit.exe
• Rundl132.exe
• scan32.exe
• spo0lsv.exe
• spoclsv.exe
• sppoolsv.exe
• SREng.EXE
• taskmgr.exe
• TBMon.exe
• TrojDie.kxp
• UIHost.exe
• UpdaterUI.exe
• VsTskMgr.exe
   

Terminates the following Services:

• ccEvtMgr
• ccProxy
• ccSetMgr
• FireSvc
• KPfwSvc
• KVSrvXP
• McAfeeFramework
• McShield
• McTaskManager
• MskService
• navapsvc
• NPFMntor
• RsCCenter
• RsRavMon
• Schedule
• sharedaccess
• SNDSrvc
• SPBBCSvc
• Symantec Core LC
• wscsvc
   

Deletes the following Registry entries:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE

Disables the show hidden file options in folder options using the following registry:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"

It tries to copy itself to network shares using following passwords:
admin$
0
000000
007
1
110111111
111
1111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
1313fish
2002
2003
2112
2600
5150
520
5201314
54321
654321
6969
7777
88888888
901100
a
aaa
abc
abc123
abcd
admin
admin123
Administrator
alpha
asdf
baseball
ccc
computer
database
enable
fuck
fuckyou
god
godblessyou
golf
Guest
harley
home
ihavenopass
letmein
login
love
mustang
mypass
mypass123
mypc
mypc123
owner
pass
passwd
password
patrickpat
pc
pussy
pw
pw123
pwd
qq520
qwer
qwerty
Root
root
server
sex
shadow
super
sybase123qwe
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv
 

Infects all the EXE, SCR, PIF, COM, htm, html, asp, php, jsp, aspx files. We detect the infected files as W32/Fujacks!htm and W32/Fujacks.s .

 

W32/Fujacks.s is a file infector that can spread over network drives and shared folders. Infected html files can download the file infector when opened in browser.