Jump to content
xisto Community
Sign in to follow this  
room2593

Worm_fujack 2

Recommended Posts

Just recently, I won the virus lottery.I am connected to a very large network right now which has several terabytes of shared files. The only real problem with this arrangement is that it leaves me very open to attack from viruses and worms. I got win antivirus 2008 recently, and now I got worm fujack 2. How can one man get two system destroying viruses in such a short amount of time? Just lucky, I guess.The worm has several effects:It will plant itself in your system32\drivers folder as spoclsv.exeIt writes itself to your registry as [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]"Svcshare" = "%System%\drivers\spoclsv.exe"or[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Svcshare" = "%System%\drivers\spoclsv.exe"If you restart your computer while this program is embedded in your registry, it executes a system-wide edit of .exe and other files and embeds itself in every folder as desktop_.ini. So if you notice any of the effects such as your virus software turning off, your task manager not working, or your system slowing down drastically, TRY NOT TO RESTART YOUR SYSTEM! It will dig itself in and make itself comfortable. Get a good scanner such as avg and run it. Twice, if need be.This worm will write itself into nearly every .exe, .scr., .pif and .com on your system. If you start any of these files, it will restart the virus on your system even if you've cleaned it off.There are a few exceptions, such as anything in a folder labeled any one of the following:WINDOWSWinntRecycledWindows NTWindowsUpdateWindows Media PlayerOutlook ExpressInternet ExplorerNetMeetingCommon FilesComPlus ApplicationsMessengerInstallShield Installation InformationMSNMicrosoft FrontpageMovie MakerMSN Gamin ZoneThe worm acts as a normal worm as well; throwing itself into all writable shared files and across the network. It absorbs system resources and will eventually freeze your system. It shuts off your task manager (and many other tasks such as common virus software) and your active desktop (the way to change this is to change your theme. it sounds weird, but it works. go to display properties and themes and change it to My Current Theme. It will probably work).An odd feature is that this worm defaults your folders to not viewing hidden files and folders. You can't change this back, I think it messes with the registry. It therefore places a desktop_.ini file in every single folder on your computer. EVERY ONE. It seems to be read-only, so I don't think it is malicious. It is easily mistaken for desktop.ini, which is good.If you have this worm, the best and most effective way to get rid of it is (of course) to rebuild your system, wiping the hard drive and reinstalling windows. If you don't want to do this, then you need to take some evasive action.Step One: Admit that this is going to be hard. Cry a little if you need to, bury your head in your hands and let it all out. Don't worry, I understand.Step Two: Download a really good virus scanner that is little known to worms and viruses: try open source. It's okay, it won't bite. I used Clamwin. Clamwin doesn't have real-time scanning, but it is a deep scanner and will go over every line of code. Clamwin also has an awesome feature that will allow you to scan the system memory to eject the program from the RAM. This will stop it from running so you can work. Tell the scan to put everything it finds in a quarantine folder. This scan will find a million things that have been infected. Don't freak out. Then scan all removable media (thumb drives, ipods, removable hard drives).Step Three: While the scan is running, go to your system32\drivers folder and delete spoclsv.exe. If you can't find it, wait for the scan to find the thing.Step Four: Open the registry editor. Go to start, run, and type in "regedit.exe". This will open the editor, and from there, you can find the files that have been added on your system and delete them. (They're listed above)Step Five: Once the scan is finished, take a deep breath.Step Six: Restart your system. When the windows symbol comes up, pull the plug. Say "I'm sorry" to your system. And mean it. Once you reboot, choose to start in safe mode with networking. Download a spyware scanner such as avg to do a deep scan again. It probably won't find things that Clamwin missed, but it can fix things, and that's what you need right now. Take everything it fixed and put it all back where you found it.Your system will be limping along quite nicely now. The worm is gone, but it acts like an atomic bomb. It only takes a second to detonate, but the effects last for decades. Your system will be so torn up that you will probably have to uninstall a large portion of your programs and reinstall them. You'll find a million things in your start menu that don't link to anything. This leads you to the final step.Step Seven: Admit that you won. It may not seem like it, but you definitely won. Give yourself a pat on the back.The chances are that if you're reading this, you're trying to figure out how to fix your system. But I will go ahead and give you my two cents: Unless you have a lot of files that you can't save, it might just be worth it to rebuild. I have a terabyte of files that I wouldn't be able to save otherwise. That's the only reason why I saved my system.A fresh install might be the way to go.If I missed anything, I'll post more as I found out.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.