PE_FUJACKS.CT-O

This file infector drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Installation

This file infector drops the following copies of itself into the affected system:

• %system%\drivers\TXPlatform.exe

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Explorer = %system%\drivers\TXPlatform.exe

Other System Modifications

This file infector modifies the following registry entries to hide files with Hidden attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 0

(Note: The default value data of the said registry entry is 1.)

File Infection

This file infector infects the following file types:

• .asp
• .htm
• .html
• .exe

Propagation

This file infector creates the following folder in all physical and removable drives:

• ¡¡¡¡¡¡.exe

It drops copies of itself in network drives such as the following:

• Cool_GameSetup.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
OPEN=¡¡¡¡¡¡.exe
shell\open=´ò¿ª(&O)
shell\open\Command=¡¡¡¡¡¡.exe
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=¡¡¡¡¡¡.exe

Other Details

This file infector connects to the following possibly malicious URL:

• http://www.{BLOCKED}g08.com/down/down.txt
• http://www.{BLOCKED}g08.com/1.htm
• http://www.{BLOCKED}g08.com/js/general.js
• http://{BLOCKED}portal.information.com/?o_id=158506&domainname=daohang08.com

NOTES:
It prepends its codes to the targeted exe files.

It appends an iframe to the asp, htm, html and php files that redirects users to the following URL:

• http://www.{BLOCKED}g08.com/down/htmmm/mm.Htm