Suspects arrested in Panda joss-stick virus case

Sophos Press Release

Fujacks worm stole usernames and passwords

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have welcomed the news that Chinese authorities have arrested a group of hackers in connection with the Fujacks worm. The worm (also known as Worm.Whboy) made headlines last month because it converts icons of infected programs into a picture of a panda burning joss-sticks as it steals usernames and passwords from online games players.

In the final quarter of 2006 alone, Sophos detected 31,000 different webpages containing versions of the Fujacks malware.

According to Chinese media reports, six men all in their twenties have been apprehended. One of those arrested, 25-year-old Li Jun, and is believed to use the handle "Whboy" and to be the creator of the Fujacks malware.

Li Jun, who lives in Wuhan, the capital city of Hubei Province in central China, was said in a police statement to have earned more than US $12,500 by selling the malware to other internet hackers. The Chutian Metropolis Daily has claimed that Li was motivated to create the virus after he failed to find an IT job in Guangzhou and Beijing.

"I wanted to find a job with an internet security company, but I failed every time," Li Jun is reported to have told police. "I wrote the program to express my discontent."

Fujacks changes icons of infected programs to a picture of a panda holding joss-sticks

Fujacks changes icons of infected programs to a picture of a panda holding joss-sticks, and steals information from users of the QQ instant messaging program.

"The international community should applaud the Chinese authorities for investigating one of their first major cybercrime cases," said Graham Cluley, senior technology consultant for Sophos. "With so much malware and spam being distributed from Chinese computers we can only hope that a strong message will be sent out to other criminals based in the country."

If found guilty of writing and spreading the malware, Li Jun could face a five year jail sentence.

In January Sophos published its annual Security Threat Report, which detailed the latest trends in malware around the world, identifying China-based web servers as being second only to the United States for the amount of malware they host. According to Sophos experts over 30% of all malware is written in China.

Users of Sophos anti-virus products are already protected against the Fujacks worm. Sophos continues to recommend that users exercise caution about what software they run on their computers, don't use an administrator account for day-to-day work, write-protect network shares which contain corporate applications, and run the very latest security software.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at