HOME > VIRUS ALERTS


VIRUS ALERTS

File Infector FUJACKS

Original issue date: February 28, 2007

A file infector malware family PE_FUJACKS has been observed evolving with the traits that makes it distinguishable from other generic file infectors. File infectors are components for focused information theft attacks. PE_FUJACKS is a multi-component, focused, web-based malware aimed for monetary gain. It arrives on the system while navigating some malicious websites or via download by other malware. The propagation vector includes network shares, removable drives, Instant Messaging and infectious executable files.

PE_FUJACKS searches for the files with extensions EXE, .SCR, .PIF, and .COM to append its code and mark the infection. All variants of the family have the same infection marker so as to lessen the possibility of detection and avoid reinfection of files. It also infects the files with extensions .ASP, .ASPX, .HTM, .HTML, .JSP, .PHP by appending itself using IFrame. When the infected HTML file is viewed in a browser it redirects to other malicious webpage via IFrame exploiting Microsoft Data Access Components Code Execution Vulnerability described in CIVN-2006-31 to download other malware on the system.

PE_FUJACKS is designed for Chinese Windows platform but can run on English platforms.

Variants: PE_FUJACKS.BE , HTML_FUJACKS.E , PE_FUJACKS.EZ-O, Backdoor.Win32.Delf.aka, W32/Fujacks.worm, Win32/Fujacks.L, PE_FUJACKS.AL-O, W32/Fujacks-B, W32.Fujacks.B, W32/Fujacks!htm.

Aliases: W32/Fujacks-J, W32/Fujacks.s, Win32/Emerleox.BM

Upon execution FUJACKS file infector performs following activities:

  • Drops its copies to network shares with weak passwords, removable drives and physical drives using luring file names.
  • Drops *.INI file as an infection marker in all folders it spawn. The *.INI file contain the infection date of the affected system.
  • Terminates other security related processes and processes related to other malware particularly PE_LOOKED (Other file infector malware)
  • Sends instant messages that contain link to malicious website to download a copy of itself without user knowledge.
  • Avoids infecting system files to make its purpose of remaining in the system.
  • Downloads Trojan Spyware to log user keystrokes to steal information related to Zhengtu Online, Chinese online game for some monetary gain.

In view of high damage potential of this malware users are advised to implement following countermeasures:

  • Install and maintain a updated anti-virus software at gateway and desktop level
  • Keep up-to-date patches and fixes on the operating system and application software
  • Exercise caution while opening files received through Instant Messaging Services

 

References:

http://blog.trendmicro.com/pe-fujacks-raises-the-bar-for-file-
infectors/
http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VNAME=
PE%5FFUJACKS %3A+Jacking+Up+to+the+Times&Page

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003