Need help CLEANING html files with Win32/Fujack virus warning

Discussion in 'NOD32 version 2 Forum' started by herojig, Sep 2, 2007.

Thread Status:
Not open for further replies.
  1. herojig

    herojig Registered Member

    Joined:
    Sep 19, 2004
    Posts:
    127
    Location:
    Kathmandu Nepal
    Hi all, urgent help needed here...several files on our website are reported to have the Win32/Fujack virus. Can't really download them to repair as nod32 won't let ya! the files on the local server were also bad, and are now in quarantine, but there was no option to just clean them, only delete and quarantine.

    Does anyone know anything about this virus? The dreamweaver machine has been checked for any infestation and comes up clean, except for the files found to be infected/now deleted. Help appreciated!!!
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi herojig,

    I would suggest creating a special folder for the purpose and excluding it in AMON (so that you may work on the files) and then restore them from Quarantine to that folder.

    Look for suspicious <iframe> code that should not be there and upload the repaired files to replace the ones on your server.

    Also, you will need to identify the source of the infection which should be a PC connected somewhere to your network as normally fujacks would spread via network shares. Perhaps try installing and updating NOD32 on each PC before disconnecting all from the network and perform a full scan and clean on each as described here except at post#75 click 'Scan & Clean' instead of 'Quit'. Once the PC's and servers on the network are cleared then they can be reconnected. Don't forget to permit NOD32 to submit any files it wishes to ESET for analysis - that way the detection can grow even stronger and remember to very any remote or away PC's and notebooks get cleared before they are permitted to connect again.

    Please post back and let us know how you got on.

    Cheers :)
     
  3. herojig

    herojig Registered Member

    Joined:
    Sep 19, 2004
    Posts:
    127
    Location:
    Kathmandu Nepal
    Thanks so much for that timely reply. So can u please confirm this procedure:
    1. create and exclude a directory for scanning
    2. disable imon for a session to download the infected files from the webserver per this panel: https://www.wilderssecurity.com/attachment.php?attachmentid=186174&stc=1&d=1166751638
    3. repair file by taking out iframe code (there should be none there)
    4. re-enable imon
    5. upload the repaired files
    6. rescan all machines on the lan
    This seems such a limited infection (6 files our of hundreds in same dir) and no registry entries, i am hoping to be okay after doing above - or some variation. thanks!!!
    ps. so it comes from another machine on the lan via network share? and inserts bad iframe code? is that all?


    **EDIT** well, i went ahead and did this and did find in those 6 files this line of code:
    so what the *&$! is that!?! shouldn't someone shut that site down? well, thanks...this was a very embarrassing situation for us, but all is well now.
     
    Last edited: Sep 2, 2007
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    You're welcome.

    You've fixed the files on your webserver so that is the first thing.

    Yes, the threat commonly spreads via network share so the initiator could be any PC that has had access to your LAN and at least some variants can aparently break easy passwords on shares.
    Apart from inserting the bad iframe may also attempt to download other threats/trojans and also modify executable files and embed itself so it is important you ensure all machines that have access to your network are scanned/cleaned & cleared. Otherwise what is now just a half dozen modified html documents could easily become a rampage.

    Cheers :)
     
  5. herojig

    herojig Registered Member

    Joined:
    Sep 19, 2004
    Posts:
    127
    Location:
    Kathmandu Nepal
    Hi, I've checked all our machines and there is no other trace of this virus. Scans all come up clean and i've looked in registrys for signatures. So now what? All looks good but I don't have a warm fuzzy yet. Does nod32 check registry for know sigs of this virus during a normal scan? thanks again for ur great help!!!
     
  6. techtype

    techtype Registered Member

    Joined:
    Nov 1, 2006
    Posts:
    80
  7. herojig

    herojig Registered Member

    Joined:
    Sep 19, 2004
    Posts:
    127
    Location:
    Kathmandu Nepal
    that's a sneaky trick. the link says it's a fujack removal tool, but it's a way to get you to install the entire product. which is now locked up in a cpu-intensive scan! well, we will see if it does anything more then spybot, which is running on all machines too, and never caught this worm.
     
  8. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Yeah I found the same. A full 14MB download so I left it alone.
     
  9. herojig

    herojig Registered Member

    Joined:
    Sep 19, 2004
    Posts:
    127
    Location:
    Kathmandu Nepal
    well, i "bit" and after a 5 hour scan it found a bunch of stuff (harmless made to look not) and this one, which is interesting: http://www.pctools.com/mrc/infections/id/Backdoor.GrayBird.K
    and did not show up in nod32 or spybot scans. so i am wondering if it's for real.

    i find all these scanners irritating, almost as much as malware, as they seem to make a big deal of themselves to sell product and consume a lot of time. i am not sure why nod32 (which i think is a great product) just does not do everything, find everything, so we the user just has to have one scanner.

    oh well, in a perfect world...
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If you come across what you think may be a threat that NOD32 has missed please always submit it for analysis, the info is here.

    Cheers :)
     
  11. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    I've read that PC Tools does this free scan, finds a load of stuff in the hope that you will purchase.

    To me this is a con.

    Better to try a product that is fully functional (detects and removes) and is superior. Like I said in another post, I beta test for Sunbelt-Software's CounterSpy and supplied them with over 10,000 pre-2005 data undetected infections.

    It is the best.

    Try it for free.

    NOD32's malware scanner is not in the same league as CounterSpy.

    I use NOD32 as my recommended anti-virus etc program.

    I use CounterSpy as my recommended anti-malware etc program.

    CounterSpy has the largest threat database and not just the easy to detect and remove ones. We are talking the real nasty barsteward's to find and remove.

    Here's the link:
    http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/

    Let me know what you find.


    See here on Fujack:
    http://research.sunbelt-software.com/threat_library_search.aspx?s=Fujack
     
Thread Status:
Not open for further replies.