Experts at SophosLabs™, Sophos's global
network of virus, spyware and spam analysis centers, have urged
Windows users not to panic following reports of a "five-star cyber
worm" that is said to have infected "several million" computers
across China. The virus has captured attention because it converts
icons of infected programs into a picture of a panda burning
Media reports from China, including the Shanghai Daily, have
quoted members of the Shanghai Information Technology Service
Center as a "top level" threat, because of the threat it posed to
networks belonging to government bureaus and companies. At least
one Beijing-based security firms reportedly estimated that several
million people's PCs may be infected by the worm.
Sophos experts have discovered over 3500 different internet
websites hosting copies of the Fujacks malware. The company has,
however, received very few reports of customers being infected by
The virus, known as Fujacks-I and Fujacks-J (also called
worm.whboy in some media reports), was already detected proactively
by Sophos's behavioral genotype
technology as Mal/Packer.
The viruses change icons of infected programs
to a picture of a panda holding joss-sticks.
Although the Shanghai Daily story reports that all infections
have so far been on Chinese-language versions of Windows, this is
not a limitation of Fujacks. The virus will run and spread on
English language Windows, too. Indeed, Fujacks can spread rapidly
across an infected PC because it is a parasitic virus, using
existing EXE files as hosts to infect. This means that a single PC
may end up with hundreds of copies of the virus on it.
Additionally, Fujacks spreads to network shares and onto
removable disk devices such as USB keys, music players and cameras.
Fujacks creates a hidden AUTORUN file on removable devices, in the
hope of spreading the virus automatically when an infected device
is inserted into another PC.
"Despite its LAN-crawling ability, Fujacks is unlikely to go
unnoticed as it spreads, which seems to mitigate against any sort
of global pandemic. The virus changes the icons of EXE files to a
picture of a panda burning joss-sticks," said Graham Cluley, senior
technology consultant for Sophos. "Additionally, the virus leaves
some infected files unable to work as usual, and infected computers
are likely to be unuseable until they are disinfected. This makes
infection rather obvious. We have had one or two reports of
infected PCs from Asia, but there is no evidence of any sort of
'devastating' outbreak - at least amongst business users - as
Users of Sophos anti-virus products are
already protected against the Fujacks worm. Sophos continues to
recommend that users exercise caution about what software they run
on their computers, don't use an administrator account for
day-to-day work, write-protect network shares which contain
corporate applications, and run the very latest security