W32.Fujacks.BH W32/Catcher-A
W32.Fujacks.BH W32/Catcher-ADiscovered: March 14, 2007
Also Known As: W32/Fujacks.z [McAfee], W32/Fujacks.dll [McAfee]
Type: Virus, Worm
Infection Length: 80,384 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the worm copies itself as the following files:
%System%\[RANDOM].dll
%System%\[RANDOM].exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{21LYYSYS-9421-2126-L2Y1-L2Y1Y1S3Y1S4}\"StubPath" = "%System%\[RANDOM].exe"
The worm injects itself into the following processes:
Explorer.exe
Services.exe
Winlogon.exe
The worm attempts to download a file from the following URL:
[http://]www.lovesa.info/logo[REMOVED]
Note: At the time of writing, the file was unavailable.
The worm scans the compromised computer and prepends itself to .exe and .scr files. It avoids infecting files located in the following folders:
ComPlus Applications
Common Files
Delphi
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
NetMeeting
Online Services
Outlook Express
RECYCLER
System Volume Information
System32
Temp
WINNT
WIndows Media Player
WIndows NT
WinRAR
Windows
Note: Executable files increase in size by 80,384 bytes.
The worm also appends a reference to the domain www.lovesa.info into all files it finds with the following extensions:
.asa
.asp
.aspx
.bat
.cdx
.cer
.css
.htm
.html
.inc
.jsp
.php
Uses the following list of passwords in attempt to copy itself to available network shares:
000000
00000000
1
110
111
111111
11111111
12
120
121212
123
123123
123321
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2000
2004
2005
2006
2007
2008
2k
321
4321
5021314
520
5201314
520520
54321
654321
88888
88888888
999999
Admin
Administrator
Password
Root
abc
abc123
abcd
abcd123
admin
admin123
administrator
adsl
asdf
asdf123
bye
byebye
cctv
china
computer
data
database
date
enable
foobar
fuck
fuckyou
ghost
god
godblessyou
goodbye
guest
guest123
guest321
hao123
happy
home
ihavenopass
iloveyou
internet
japan
kaonima
live
login
love
loveyou
mylove
mypass
mypass123
no
oracle
pass
passwd
password
pwd
qwer
root
sa
server
sex
super
sybase
temp
temp123
test
test123
user
users
wangba
window
windows
windows2000
windows2003
windowsxp.
xp
xxx
yxcv
zxcv
The worm then attempts to copy itself as one of the following filenames:
FuckJacks.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
c0nime.exe
iexpl0re.exe
nvscv32.exe
spoclsv.exe
svch0st.exe
Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
Damage
Damage Level: Medium
Payload: Infects various files.
Distribution
Distribution Level: Medium
Shared Drives: Copies itself to network shares.
Writeup By: Jeong Mun
Labels: Anti-Virus, Microsoft, Worm
<< Home