Need help CLEANING html files with Win32/Fujack virus warning

Hi all, urgent help needed here...several files on our website are reported to have the Win32/Fujack virus. Can't really download them to repair as nod32 won't let ya! the files on the local server were also bad, and are now in quarantine, but there was no option to just clean them, only delete and quarantine.

Does anyone know anything about this virus? The dreamweaver machine has been checked for any infestation and comes up clean, except for the files found to be infected/now deleted. Help appreciated!!!

 

Hi herojig,

I would suggest creating a special folder for the purpose and excluding it in AMON (so that you may work on the files) and then restore them from Quarantine to that folder.

Look for suspicious <iframe> code that should not be there and upload the repaired files to replace the ones on your server.

Also, you will need to identify the source of the infection which should be a PC connected somewhere to your network as normally fujacks would spread via network shares. Perhaps try installing and updating NOD32 on each PC before disconnecting all from the network and perform a full scan and clean on each as described here except at post#75 click 'Scan & Clean' instead of 'Quit'. Once the PC's and servers on the network are cleared then they can be reconnected. Don't forget to permit NOD32 to submit any files it wishes to ESET for analysis - that way the detection can grow even stronger and remember to very any remote or away PC's and notebooks get cleared before they are permitted to connect again.

Please post back and let us know how you got on.

Cheers

 

Thanks so much for that timely reply. So can u please confirm this procedure:
1. create and exclude a directory for scanning
2. disable imon for a session to download the infected files from the webserver per this panel: https://www.wilderssecurity.com/attachment.php?attachmentid=186174&stc=1&d=1166751638
3. repair file by taking out iframe code (there should be none there)
4. re-enable imon
5. upload the repaired files
6. rescan all machines on the lan
This seems such a limited infection (6 files our of hundreds in same dir) and no registry entries, i am hoping to be okay after doing above - or some variation. thanks!!!
ps. so it comes from another machine on the lan via network share? and inserts bad iframe code? is that all?


**EDIT** well, i went ahead and did this and did find in those 6 files this line of code:

so what the *&$! is that!?! shouldn't someone shut that site down? well, thanks...this was a very embarrassing situation for us, but all is well now.

 

You're welcome.

You've fixed the files on your webserver so that is the first thing.

Yes, the threat commonly spreads via network share so the initiator could be any PC that has had access to your LAN and at least some variants can aparently break easy passwords on shares.
Apart from inserting the bad iframe may also attempt to download other threats/trojans and also modify executable files and embed itself so it is important you ensure all machines that have access to your network are scanned/cleaned & cleared. Otherwise what is now just a half dozen modified html documents could easily become a rampage.

Cheers

 

Hi, I've checked all our machines and there is no other trace of this virus. Scans all come up clean and i've looked in registrys for signatures. So now what? All looks good but I don't have a warm fuzzy yet. Does nod32 check registry for know sigs of this virus during a normal scan? thanks again for ur great help!!!

 

You might want to try this:

http://www.2-spyware.com/remove-fujacks.html

Note that there are several variations of fujack.

 

that's a sneaky trick. the link says it's a fujack removal tool, but it's a way to get you to install the entire product. which is now locked up in a cpu-intensive scan! well, we will see if it does anything more then spybot, which is running on all machines too, and never caught this worm.

 

Yeah I found the same. A full 14MB download so I left it alone.

 

well, i "bit" and after a 5 hour scan it found a bunch of stuff (harmless made to look not) and this one, which is interesting: http://www.pctools.com/mrc/infections/id/Backdoor.GrayBird.K
and did not show up in nod32 or spybot scans. so i am wondering if it's for real.

i find all these scanners irritating, almost as much as malware, as they seem to make a big deal of themselves to sell product and consume a lot of time. i am not sure why nod32 (which i think is a great product) just does not do everything, find everything, so we the user just has to have one scanner.

oh well, in a perfect world...

 

If you come across what you think may be a threat that NOD32 has missed please always submit it for analysis, the info is here.

Cheers

 

I've read that PC Tools does this free scan, finds a load of stuff in the hope that you will purchase.

To me this is a con.

Better to try a product that is fully functional (detects and removes) and is superior. Like I said in another post, I beta test for Sunbelt-Software's CounterSpy and supplied them with over 10,000 pre-2005 data undetected infections.

It is the best.

Try it for free.

NOD32's malware scanner is not in the same league as CounterSpy.

I use NOD32 as my recommended anti-virus etc program.

I use CounterSpy as my recommended anti-malware etc program.

CounterSpy has the largest threat database and not just the easy to detect and remove ones. We are talking the real nasty barsteward's to find and remove.

Here's the link:
http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/

Let me know what you find.


See here on Fujack:
http://research.sunbelt-software.com/threat_library_search.aspx?s=Fujack