Panda joss-stick virus rears its head on 3500 websites

January 18, 2007 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have urged Windows users not to panic following reports of a "five-star cyber worm" that is said to have infected "several million" computers across China. The virus has captured attention because it converts icons of infected programs into a picture of a panda burning joss-sticks.

Media reports from China, including the Shanghai Daily, have quoted members of the Shanghai Information Technology Service Center as a "top level" threat, because of the threat it posed to networks belonging to government bureaus and companies. At least one Beijing-based security firms reportedly estimated that several million people's PCs may be infected by the worm.

Sophos experts have discovered over 3500 different internet websites hosting copies of the Fujacks malware. The company has, however, received very few reports of customers being infected by the malware.

The virus, known as Fujacks-I and Fujacks-J (also called worm.whboy in some media reports), was already detected proactively by Sophos's behavioral genotype technology as Mal/Packer.

The viruses change icons of infected programs to a picture of a panda holding joss-sticks

The viruses change icons of infected programs to a picture of a panda holding joss-sticks.

Although the Shanghai Daily story reports that all infections have so far been on Chinese-language versions of Windows, this is not a limitation of Fujacks. The virus will run and spread on English language Windows, too. Indeed, Fujacks can spread rapidly across an infected PC because it is a parasitic virus, using existing EXE files as hosts to infect. This means that a single PC may end up with hundreds of copies of the virus on it.

Additionally, Fujacks spreads to network shares and onto removable disk devices such as USB keys, music players and cameras. Fujacks creates a hidden AUTORUN file on removable devices, in the hope of spreading the virus automatically when an infected device is inserted into another PC.

"Despite its LAN-crawling ability, Fujacks is unlikely to go unnoticed as it spreads, which seems to mitigate against any sort of global pandemic. The virus changes the icons of EXE files to a picture of a panda burning joss-sticks," said Graham Cluley, senior technology consultant for Sophos. "Additionally, the virus leaves some infected files unable to work as usual, and infected computers are likely to be unuseable until they are disinfected. This makes infection rather obvious. We have had one or two reports of infected PCs from Asia, but there is no evidence of any sort of 'devastating' outbreak - at least amongst business users - as suggested elsewhere."

Users of Sophos anti-virus products are already protected against the Fujacks worm. Sophos continues to recommend that users exercise caution about what software they run on their computers, don't use an administrator account for day-to-day work, write-protect network shares which contain corporate applications, and run the very latest security software.