W32.Fujacks.D (spoclsv.exe/GameSetup.exe)- Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When the worm executes, it performs the following actions:
Copies itself as the following files:
[DRIVE LETTER]\setup.exe
[NETWORK DRIVE LETTER]\GameSetup.exe
%System%\Drivers\spoclsv.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following file to execute [DRIVE LETTER]\setup.exe:
[DRIVE LETTER]\autorun.inf
Adds the value:
"svcshare"="spoclsv.exe"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it executes whenever Windows starts.
May delete entries that contain the following strings:
"kav"
"KAVPersonal50"
"KvMonXP"
"McAfeeUpdaterUI"
"Network Associates Error Reporting Service"
"RavTask"
"ShStatEXE"
"yassistse"
"YLive.exe"
from the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Uses a series of "net share" commands to close any local shared folders found.
May delete files with the following extensions from the root folder of local partitions, except the C drive:
Manual Deleting Solution:
Restart your PC. Then go to safe mode (press F8).
Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
type cd\
type cd windows\system32
type attrib -r -h -s spoclsv.exe
type del spoclsv.exe
type del spoclsv.exe
now type d: and press enter for d: drive partition.
type attrib -r -h -s gamesetup.exe
type gamesetup.exe
type exit
Open Start --->> Run and type msconfig and press enter. This will open windows msconfig window then uncheck spoclsv.exe and gamesetup.exe
Open Start --->> Run and type regedit and press enter. This will open windows Registry Editor window then find and remove. (spoclsv.exe and gamesetup.exe)
Then update your antivirus software (your all software (.exe) attacked virus). So reinstall your software.
Note: Similarly repeat from steps 8 to 10 for all your hard disk partitions to remove the files created by the virus.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When the worm executes, it performs the following actions:
Copies itself as the following files:
[DRIVE LETTER]\setup.exe
[NETWORK DRIVE LETTER]\GameSetup.exe
%System%\Drivers\spoclsv.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following file to execute [DRIVE LETTER]\setup.exe:
[DRIVE LETTER]\autorun.inf
Adds the value:
"svcshare"="spoclsv.exe"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it executes whenever Windows starts.
May delete entries that contain the following strings:
"kav"
"KAVPersonal50"
"KvMonXP"
"McAfeeUpdaterUI"
"Network Associates Error Reporting Service"
"RavTask"
"ShStatEXE"
"yassistse"
"YLive.exe"
from the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Uses a series of "net share" commands to close any local shared folders found.
May delete files with the following extensions from the root folder of local partitions, except the C drive:
.gho
.exe
.scr
.pif
.com
Uses the following password list in attempt to copy itself to available network shares:.exe
.scr
.pif
.com
admin$
admin$
1234
password
6969
harley
123456
golf
pussy
mustang
1111
shadow
1313
fish
5150
7777
qwerty
baseball
2112
letmein
12345678
12345
ccc
admin
5201314
qq520
123
1234567
123456789
654321
54321
111
000000
abc
11111111
88888888
pass
passwd
database
123asd
ihavenopass
godblessyou
enable
2002
2003
2600
alpha
Login
pw123
love
mypc
mypc123
admin123
mypass
mypass123
901100
Administrator
Guest
admin
Root
Ends all processes in windows that contain the following strings in the title:admin$
1234
password
6969
harley
123456
golf
pussy
mustang
1111
shadow
1313
fish
5150
7777
qwerty
baseball
2112
letmein
12345678
12345
ccc
admin
5201314
qq520
123
1234567
123456789
654321
54321
111
000000
abc
11111111
88888888
pass
passwd
database
123asd
ihavenopass
godblessyou
enable
2002
2003
2600
alpha
Login
pw123
love
mypc
mypc123
admin123
mypass
mypass123
901100
Administrator
Guest
admin
Root
QQKav
QQAV
VirusScan
Symantec AntiVirus
iDuba
esteem procs
Wrapped gift Killer
Winsock Expert
msctls_statusbar32
pjf(ustc)
IceSword
Ends the following processes:QQAV
VirusScan
Symantec AntiVirus
iDuba
esteem procs
Wrapped gift Killer
Winsock Expert
msctls_statusbar32
pjf(ustc)
IceSword
Mcshield.exe
VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl123.exe
May end the following services, some of which may be security-related:VsTskMgr.exe
naPrdMgr.exe
UpdaterUI.exe
TBMon.exe
scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP.kxp
KvMonXP.kxp
KVCenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl123.exe
Schedule
sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
KVWSC
KVSrvXP
kavsvc
AVP
AVP
kavsvc
McAfeeFramework
McShield
McTaskManager
McAfeeFramework
McShield
McTaskManager
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc
Scans the compromised computer and infects any .exe files it finds. sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
KVWSC
KVSrvXP
kavsvc
AVP
AVP
kavsvc
McAfeeFramework
McShield
McTaskManager
McAfeeFramework
McShield
McTaskManager
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc
Manual Deleting Solution:
Restart your PC. Then go to safe mode (press F8).
Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
type cd\
type cd windows\system32
type attrib -r -h -s spoclsv.exe
type del spoclsv.exe
type del spoclsv.exe
now type d: and press enter for d: drive partition.
type attrib -r -h -s gamesetup.exe
type gamesetup.exe
type exit
Open Start --->> Run and type msconfig and press enter. This will open windows msconfig window then uncheck spoclsv.exe and gamesetup.exe
Open Start --->> Run and type regedit and press enter. This will open windows Registry Editor window then find and remove. (spoclsv.exe and gamesetup.exe)
Then update your antivirus software (your all software (.exe) attacked virus). So reinstall your software.
Note: Similarly repeat from steps 8 to 10 for all your hard disk partitions to remove the files created by the virus.
