Home / malware Worm:VBS/Cantix.A
First posted on 30 August 2010.
Source: SecurityHomeAliases :
Worm:VBS/Cantix.A is also known as Smalltroj.YHFI (Norman), VBS/Worm.BA (AVG), VBS/Yuyun.A (Avira), Trojan.Script.257191 (BitDefender), Win32.HLLW.Cantix (Dr.Web), VBS/AutoRun.EY (ESET), VBS.Yuyun (Ikarus), VBS.Runauto (Symantec), VBS_AGENT.AVKG (Trend Micro).
Explanation :
Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives.
Top
Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives. Installation When executed, the worm copies itself to the following location: %system32%\<random>.tmp and launches that copy. The worm also copies itself to these locations: C:\dekstop.ini %my documents%\df5srvc.bfe Note: The malware attempts to copy itself to an NTFS (New Technology File System) alternate data stream: %windows%\:microsoft office update for windows xp.sys The worm may also create several shortcut files named after a directory, for example: C:\Documents and Settings.lnk This points to a copy of the malware, for example: C:\dekstop.ini The worm also sets the following registry entries to ensure execution at each Windows start: Adds value: "Df5serv"With data: "wscript.exe //e:vbscript "c:\documents and settings\administrator\my documents\df5srvc.bfe""To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "WinUpdate"With data: "wscript.exe //e:vbscript "%windir%\:microsoft office update for windows xp.sys""To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run The malware also sets the following registry entries in an attempt to ensure its survival: Adds value: "DisableRegistrytools"With data: "1"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Adds value: "WarningIfNotDefault"With data: "fandy love yuyun"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden Adds value: "CheckedValue"With data: "0"To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden Spreads via€¦ Removable drives The worm enumerates drives checking for removable drives, if found, the malware makes a copy of itself as: <Drive>:\dekstop.ini Worm:VBS/Cantix.A then writes an autorun configuration file named 'autorun.inf' pointing to the file listed above. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. The worm also copies itself to the following location: %appdata%\microsoft\cd burning\dekstop.ini %appdata%\microsoft\cd burning\autorun.inf Payload Changes start page The malware modifies the following registry entry to change the start page for the browser: Adds value:"Start Page" With data: "http://www.bendot.co.nr" To subkey: HKCU\Software\Microsoft\Internet Explorer\Main Prints a text message The malware writes a text file to the following location: %system32%\v.doc On the first day of the following months: January April July October The malware sends the text to the printer using the following command: notepad.exe /p %system32%\v.doc The contents of the text document is as follows: Orang Bodoh Cari Jodoh Dahulu terasa indah Tak ada yang mau dan menginginkan aku Karna cuma diriku yang tak laku-laku Tiada yang salah Hanya aku manusia bodoh Yang biarkan semua ini permainkanku Berulang ulang ulang kali Pengumuman-pengumuman Siapa yang mau bantu Tolong aku kasihani aku Tolong carikan diriku kekasih hatiku Siapa yang mau Mencoba bertahan sekuat hati Layaknya karang yang Dihempas sang ombak Jalani hidup dalam buai belaka Serahkan cinta tulus di dalam takdir Hanya kepedihan Yang s'lalu datang menertawakanku Engkau belahan jiwa Tega menari indah di atas tangisanku Tapi sampai kapankah ku harus Menanggungnya kutukan cinta ini Bersemayam dalam kalbu
Analysis by Ray RobertsLast update 30 August 2010