Home / malwarePDF  

Worm:VBS/Cantix.A


First posted on 23 April 2019.
Source: Microsoft

Aliases :

Worm:VBS/Cantix.A is also known as Smalltroj.YHFI, VBS/Worm.BA, VBS/Yuyun.A, Trojan.Script.257191, Win32.HLLW.Cantix, VBS/AutoRun.EY, VBS.Yuyun, VBS.Runauto, VBS_AGENT.AVKG.

Explanation :

Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives. Installation When executed, the worm copies itself to the following location:   %system32%.tmp   and launches that copy. The worm also copies itself to these locations:   C:dekstop.ini %my documents%df5srvc.bfe   Note: The malware attempts to copy itself to an NTFS (New Technology File System) alternate data stream:   %windows%:microsoft office update for windows xp.sys   The worm may also create several shortcut files named after a directory, for example:   C:Documents and Settings.lnk   This points to a copy of the malware, for example:   C:dekstop.ini   The worm also sets the following registry entries to ensure execution at each Windows start: Adds value: "Df5serv"With data: "wscript.exe //e:vbscript "c:documents and settingsadministratormy documentsdf5srvc.bfe""To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "WinUpdate"With data: "wscript.exe //e:vbscript "%windir%:microsoft office update for windows xp.sys""To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun   The malware also sets the following registry entries in an attempt to ensure its survival: Adds value: "DisableRegistrytools"With data: "1"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem  Adds value: "WarningIfNotDefault"With data: "fandy love yuyun"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden Adds value: "CheckedValue"With data: "0"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden Spreads via… Removable drives The worm enumerates drives checking for removable drives, if found, the malware makes a copy of itself as:   :dekstop.ini   Worm:VBS/Cantix.A then writes an autorun configuration file named 'autorun.inf' pointing to the file listed above. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.   The worm also copies itself to the following location:   %appdata%microsoftcd burningdekstop.ini %appdata%microsoftcd burningautorun.inf Payload Changes start page The malware modifies the following registry entry to change the start page for the browser: Adds value:"Start Page" With data: "http://www.bendot.co.nr" To subkey: HKCUSoftwareMicrosoftInternet ExplorerMain   Prints a text message The malware writes a text file to the following location:   %system32%v.doc   On the first day of the following months:   January April July October   The malware sends the text to the printer using the following command:   notepad.exe /p %system32%v.doc   The contents of the text document is as follows:   Orang Bodoh Cari Jodoh   Dahulu terasa indah Tak ada yang mau dan menginginkan aku Karna cuma diriku yang tak laku-laku   Tiada yang salah Hanya aku manusia bodoh Yang biarkan semua ini permainkanku Berulang ulang ulang kali   Pengumuman-pengumuman Siapa yang mau bantu Tolong aku kasihani aku Tolong carikan diriku kekasih hatiku Siapa yang mau   Mencoba bertahan sekuat hati Layaknya karang yang Dihempas sang ombak Jalani hidup dalam buai belaka Serahkan cinta tulus di dalam takdir   Hanya kepedihan Yang s'lalu datang menertawakanku Engkau belahan jiwa Tega menari indah di atas tangisanku   Tapi sampai kapankah ku harus Menanggungnya kutukan cinta ini Bersemayam dalam kalbu   Analysis by Ray Roberts

Last update 23 April 2019

 

TOP