Home / malware VBS.Cian.C@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.Cian.C@mm is also known as (X97M.
Explanation :
The virus copies itself in system folder (C:WindowsSystem or C:WinntSystem32) as "Winstart.vbs", "Wininst32.vbs", "Winnt32.vbs" and "Winnet32.vbs" and in windows folder (C:Windows or C:Winnt) as "Netlnk32.vbs" and "Conversation.vbe".
It creates the registry key
"HKLMSoftwareMicrosoftWindowsCurrentVersionRunWinstart"
with the value "Wscript.exe Winstart.vbs %1", where is C:WindowsSystem or C:WinntSystem32, in order to run the "Winstart.vbs" copy of the virus at every restart of the system.
It overwrites the file "personal.xls" in startup folder of Excel (for instance this path can be "C:WindowsApplication DataMicrosoftExcelStartup") in order to infect xls-files when they are opened.
It creates a temporary file "Evade.gif" (but not a real picture) in system folder (C:WindowsSystem or C:WinntSystem32) with malicious code to infect xls-files.
It overwrites the file "normal.dot" in template folder of Word (for instance this path can be "C:WindowsApplication DataMicrosoft Templates") in order to infect word documents at opening.
It creates a temporary file "Evade.jpg" (but not a real picture) in system folder (C:WindowsSystem or C:WinntSystem32) with malicious code to infect documents.
It copies itself as "Passwords.vbs" in the root of every drive of the system, except "C:".
It adds his code to every ".vbs" or ".vbe" file, from every folder of every drive.
The virus overwrites, as a ".vbs" file, all the ".mp3", ".mp2", ".avi", ".mpg", ".mpeg", ".mpe", ".mov", ".pdf", ".doc", ".xls", ".mdb", ".ppt" and ".pps" files, within the folders:
"C:KazaaMy Shared Folder"
"C:My Downloads"
"KazaaMy Shared Folder"
"KaZaA LiteMy Shared Folder"
"BearshareShared"
"Edonkey2000"
"MorpheusMy Shared Folder"
"GroksterMy Grokster"
"ICQ\Shared Files".
It overwrites the file "script.ini" from the mirc folder, in order to send a copy of itself ("Conversation.vbe" from windows folder) through mIRC.
The VBA-form of the virus infects all accessed word documents and excel workbooks. It modifies security levels for word and excel.
Infected documents spread themselves by e-mail with the subject:
-"Here is that file"
-"Important file"
-"The file"
-"Word file"
-"The file you wanted"
-"Here is the file" or
-the name of the infected document.
The body of the e-mail is:
"The file I am sending you is confidential as well as important; so don't let anyone else have a copy."
The attachment is the infected document itself.
Infected xls-file spread themselves by e-mail, with the subject:
"Here is that file"
"Important file"
"The file"
"Excel file"
"The file you wanted"
"Here is the file" or
the name of the infected xls-file.
The body of the e-mail is also:
"The file I am sending you is confidential as well as important; so don't let anyone else have a copy."
The attachment is the infected xls-file.Last update 21 November 2011
