Aliases: PE_FUBALCA.A-O, W32/Fujacks.aa, Agent.BKY, Trojan-Downloader.Win32.Agent.bky, Win32/Tonveck.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 01 Apr 2007
Damage: Medium

Characteristics: Windows 2000, NT, Server 2003 and XP are the systems affected by W32.Fubalca which was first found on April 1, 2007. This worm propagates via removable media and infects several file types like .exe and .html.

More details about W32.Fubalca

W32.Fubalca creates four specific files. These files are %System%\sysload3.exe, %System%\tempIcon.exe, %System%\[RANDOM FILE NAME].tmp and %System%\tempload.exe. After the creation of these files, the worm copies tool.exe and autorun.inf to the root of drives A to Z. then, the worm creates a particular system registry entry and injects its code to notepad.exe and IExplore.exe. From [http://]a.2007ip.com/css[REMOVED], a URL, the worm downloads a setting file. Then, other few URLs are used to download files. The files are copies of either Infostealer.Gampass or Infostealer.Perfwo. Another URL, [http://]if.iloveck.com/test/hos[REMOVED], is included in the setting file with various contents that can replace the hosts file. Other files with the following file extensions may be also infected: .exe, .asp, .jsp, .php, .htm, .aspx and .html. All infected .html files contain a particular javascript that adds a
tag with the URL [http://]macr.microfsot.com/Adm[REMOVED]. Through this URL, a copy of Trojan.Anicmoo is downloaded. This Trojan exploits Microsoft Windows Cursor and Icon ANI Format Handling Remote Buffer Overflow Vulnerability then downloads the worm body from another URL to be able to create a mutex called as “MyInfect”.

The W32.Fubalca program repairs and recreates itself to avoid detection and removal. It continuously updates its files, Dynamic Link Libraries (DLLs), processes and registry keys. An anti-malware scanner may not be able to detect the program’s complete files. The other remaining files may still continue to execute its operations when some of the components are deleted. The W32.Fubalca application uses the resources of the computer to excute its operation. This may lead to slower computer performance. The W32.Fubalca program may run on various operating systems including Windows 2000, Windows NT, and Windows XP.