Win32/Fujacks.S

Aliasy:	Worm.Win32.Fujack.g (Kaspersky), W32/Fujacks.l (McAfee), W32.Fujacks.E (Symantec)
Typ infiltr??cie:	v?�rus
VeĞkos??:	pribli?�ne 74 kB
Zasiahnut?� platformy:	Microsoft Windows
Verzia v?�rusovej datab??zy:	1979
Kr??tky popis:	Win32/Fujacks.S je v?�rus, ktor?? svoje telo prip??ja pred k??d hostiteĞa. Dok???�e sa ???�ri?? zdieĞan??mi priečinkami a na vymeniteĞn??ch m?�di??ch.

In??tal??cia

Pri spusten?� infikovan?�ho s??boru sa p?�vodn?? program zap?�??e do dočasn?�ho s??boru a spust?�. V?�rus sa skop?�ruje na nasleduj??ce miesto:

%windir%\drivers\spoclsv.exe

Sp??????anie pri ka?�dom ??tarte syst?�mu zabezpeč?� pridan?�m nasleduj??cej polo?�ky do datab??zy Registry:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“svcshare” = “%windir%\drivers\spoclsv.exe”

V datab??ze Registry nastav?� nasleduj??cu polo?�ku:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue” = 0

Nasleduj??ce polo?�ky z datab??zy Registry odstr??ni:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse

?�?�renie

V?�rus sa skop?�ruje do kore??ov??ch priečinkov vymeniteĞn??ch diskov s nasleduj??cim menom:

setup.exe

V rovnak??ch priečinkoch vytvor?� nasleduj??ci s??bor:

autorun.inf

Takto sa v?�rus spust?� pri vlo?�en?� infikovan?�ho m?�dia.Infikovanie spustiteĞn??ch s??borov

V?�rus hĞad?? spustiteĞn?� s??bory na lok??lnych a sie??ov??ch diskoch. Infikuje iba s??bory, ktor?� sa nenach??dzaj?? v priečinkoch s niektor??m z nasleduj??cich re??azcov v mene:

Common Files
ComPlus Applications
Documents and Settings
InstallShield Installation Information
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
MSN
MSN Gamin Zone
NetMeeting
Outlook Express
Recycled
System Volume Information
system32
WINDOWS
Windows Media Player
Windows NT
WindowsUpdate
WINNT

S??bory, ktor?� infikuje, vyber?? i podĞa niekoĞk??ch ďal???�ch krit?�ri?�. S??bor s v?�rusom prip??ja pred hostiteĞsk?? spustiteĞn?? s??bor. Pri spusten?� infikovan?�ho s??boru dok???�e zrekon??truova?? p?�vodn?? s??bor.In?� inform??cie

V?�rus hĞad?? na lok??lnych a sie??ov??ch diskoch s??bory s jednou z nasleduj??cich pr?�pon:

ASP
ASPX
HTM
HTML
JSP
PHP

K t??mto s??borom prid?? jeden riadok. Pri ich zobrazen?� sa preto otvor?� určit?? URL adresa.
Pri prehĞad??van?� diskov vytvor?� v?�rus v ka?�dom nav??t?�venom priečinku nasleduj??ci s??bor:

Desktop_.ini

Vyp?�na nasleduj??ce slu?�by:

AVP
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
KPfwSvc
KVSrvXP
KVWSC
McAfeeFramework
McShield
McTaskManager
MskService
navapsvc
NPFMntor
RsCCenter
RsRavMon
sharedaccess
schedule
SNDSrvc
SPBBCSvc
Symantec
wscsvc

V?�rus sa sna?�?� stiahnu?? a spusti?? niekoĞko s??borov z Internetu.

This entry was posted on Pondelok, Marec 19th, 2007 at 3:36 pm and is filed under Encyklop?�dia, V?�rusy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.