Home / malware Worm:VBS/Cantix.A
First posted on 23 April 2019.
Source: MicrosoftAliases :
Worm:VBS/Cantix.A is also known as Smalltroj.YHFI, VBS/Worm.BA, VBS/Yuyun.A, Trojan.Script.257191, Win32.HLLW.Cantix, VBS/AutoRun.EY, VBS.Yuyun, VBS.Runauto, VBS_AGENT.AVKG.
Explanation :
Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives. Installation When executed, the worm copies itself to the following location: %system32%
.tmp and launches that copy. The worm also copies itself to these locations: C:dekstop.ini %my documents%df5srvc.bfe Note: The malware attempts to copy itself to an NTFS (New Technology File System) alternate data stream: %windows%:microsoft office update for windows xp.sys The worm may also create several shortcut files named after a directory, for example: C:Documents and Settings.lnk This points to a copy of the malware, for example: C:dekstop.ini The worm also sets the following registry entries to ensure execution at each Windows start: Adds value: "Df5serv"With data: "wscript.exe //e:vbscript "c:documents and settingsadministratormy documentsdf5srvc.bfe""To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "WinUpdate"With data: "wscript.exe //e:vbscript "%windir%:microsoft office update for windows xp.sys""To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun The malware also sets the following registry entries in an attempt to ensure its survival: Adds value: "DisableRegistrytools"With data: "1"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem Adds value: "WarningIfNotDefault"With data: "fandy love yuyun"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden Adds value: "CheckedValue"With data: "0"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden Spreads via… Removable drives The worm enumerates drives checking for removable drives, if found, the malware makes a copy of itself as: :dekstop.ini Worm:VBS/Cantix.A then writes an autorun configuration file named 'autorun.inf' pointing to the file listed above. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. The worm also copies itself to the following location: %appdata%microsoftcd burningdekstop.ini %appdata%microsoftcd burningautorun.inf Payload Changes start page The malware modifies the following registry entry to change the start page for the browser: Adds value:"Start Page" With data: "http://www.bendot.co.nr" To subkey: HKCUSoftwareMicrosoftInternet ExplorerMain Prints a text message The malware writes a text file to the following location: %system32%v.doc On the first day of the following months: January April July October The malware sends the text to the printer using the following command: notepad.exe /p %system32%v.doc The contents of the text document is as follows: Orang Bodoh Cari Jodoh Dahulu terasa indah Tak ada yang mau dan menginginkan aku Karna cuma diriku yang tak laku-laku Tiada yang salah Hanya aku manusia bodoh Yang biarkan semua ini permainkanku Berulang ulang ulang kali Pengumuman-pengumuman Siapa yang mau bantu Tolong aku kasihani aku Tolong carikan diriku kekasih hatiku Siapa yang mau Mencoba bertahan sekuat hati Layaknya karang yang Dihempas sang ombak Jalani hidup dalam buai belaka Serahkan cinta tulus di dalam takdir Hanya kepedihan Yang s'lalu datang menertawakanku Engkau belahan jiwa Tega menari indah di atas tangisanku Tapi sampai kapankah ku harus Menanggungnya kutukan cinta ini Bersemayam dalam kalbu Analysis by Ray Roberts Last update 23 April 2019