PE_FUJACKS.CT-O

 Analysis by: Sabrina Lei Sioting

 ALIASES:

[Symantec]Trojan Horse; [Microsoft] Virus:Win32/Viking.JB; [Kaspersky] PAK:UPX,ARC:EmbeddedEXE; [Mcafee] W32/Fujacks.az; [Sophos] Mal/Generic-L

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This file infector drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

3,226,621 bytes

File Type:

EXE

File Compression:

UPX

Memory Resident:

Yes

Initial Samples Received Date:

02 Jun 2011

Installation

This file infector drops the following copies of itself into the affected system:

  • %system%\drivers\TXPlatform.exe

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Explorer = %system%\drivers\TXPlatform.exe

Other System Modifications

This file infector modifies the following registry entries to hide files with Hidden attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 0

(Note: The default value data of the said registry entry is 1.)

File Infection

This file infector infects the following file types:

  • .asp
  • .htm
  • .html
  • .exe

Propagation

This file infector creates the following folder in all physical and removable drives:

  • ¡¡¡¡¡¡.exe

It drops copies of itself in network drives such as the following:

  • Cool_GameSetup.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
OPEN=¡¡¡¡¡¡.exe
shell\open=´ò¿ª(&O)
shell\open\Command=¡¡¡¡¡¡.exe
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=¡¡¡¡¡¡.exe

Other Details

This file infector connects to the following possibly malicious URL:

  • http://www.{BLOCKED}g08.com/down/down.txt
  • http://www.{BLOCKED}g08.com/1.htm
  • http://www.{BLOCKED}g08.com/js/general.js
  • http://{BLOCKED}portal.information.com/?o_id=158506&domainname=daohang08.com

NOTES:
It prepends its codes to the targeted exe files.

It appends an iframe to the asp, htm, html and php files that redirects users to the following URL:

  • http://www.{BLOCKED}g08.com/down/htmmm/mm.Htm
.