Follow:

 

Worm:VBS/Cantix.A


Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives.
Installation
When executed, the worm copies itself to the following location:
 
%system32%\<random>.tmp
 
and launches that copy. The worm also copies itself to these locations:
 
C:\dekstop.ini
%my documents%\df5srvc.bfe
 
Note: The malware attempts to copy itself to an NTFS (New Technology File System) alternate data stream:
 
%windows%\:microsoft office update for windows xp.sys
 
The worm may also create several shortcut files named after a directory, for example:
 
C:\Documents and Settings.lnk
 
This points to a copy of the malware, for example:
 
C:\dekstop.ini
 
The worm also sets the following registry entries to ensure execution at each Windows start:
 
Adds value: "Df5serv"
With data: "wscript.exe //e:vbscript "c:\documents and settings\administrator\my documents\df5srvc.bfe""
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "WinUpdate"
With data: "wscript.exe //e:vbscript "%windir%\:microsoft office update for windows xp.sys""
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 
The malware also sets the following registry entries in an attempt to ensure its survival:
 
Adds value: "DisableRegistrytools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Adds value: "WarningIfNotDefault"
With data: "fandy love yuyun"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
 
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Spreads via…
Removable drives
The worm enumerates drives checking for removable drives, if found, the malware makes a copy of itself as:
 
<Drive>:\dekstop.ini
 
Worm:VBS/Cantix.A then writes an autorun configuration file named 'autorun.inf' pointing to the file listed above. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
 
The worm also copies itself to the following location:
 
%appdata%\microsoft\cd burning\dekstop.ini
%appdata%\microsoft\cd burning\autorun.inf
Payload
Changes start page
The malware modifies the following registry entry to change the start page for the browser:
 
Adds value:"Start Page"
With data: "http://www.bendot.co.nr"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
 
Prints a text message
The malware writes a text file to the following location:
 
%system32%\v.doc
 
On the first day of the following months:
 
January
April
July
October
 
The malware sends the text to the printer using the following command:
 
notepad.exe /p %system32%\v.doc
 
The contents of the text document is as follows:
 
Orang Bodoh Cari Jodoh
 
Dahulu terasa indah
Tak ada yang mau dan menginginkan aku
Karna cuma diriku yang tak laku-laku
 
Tiada yang salah
Hanya aku manusia bodoh
Yang biarkan semua ini permainkanku
Berulang ulang ulang kali
 
Pengumuman-pengumuman
Siapa yang mau bantu
Tolong aku kasihani aku
Tolong carikan diriku kekasih hatiku
Siapa yang mau
 
Mencoba bertahan sekuat hati
Layaknya karang yang
Dihempas sang ombak
Jalani hidup dalam buai belaka
Serahkan cinta tulus di dalam takdir
 
Hanya kepedihan
Yang s'lalu datang menertawakanku
Engkau belahan jiwa
Tega menari indah di atas tangisanku
 
Tapi sampai kapankah ku harus
Menanggungnya kutukan cinta ini
Bersemayam dalam kalbu
 
Analysis by Ray Roberts

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:

    %system32%\<random>.tmp
  • %my documents%\df5srvc.bfe
    %windows%\:microsoft office update for windows xp.sys
    %system32%\v.doc
  • The presence of the following registry modifications:
  • Adds value: "Df5serv"
    With data: "wscript.exe //e:vbscript "c:\documents and settings\administrator\my documents\df5srvc.bfe""
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
     
    Adds value: "WinUpdate"
    With data: "wscript.exe //e:vbscript "%windir%\:microsoft office update for windows xp.sys""
    To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     
    The malware also sets the following registry entries in an attempt to ensure its survival:
     
    Adds value: "DisableRegistrytools"
    With data: "1"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
     
    Adds value: "WarningIfNotDefault"
    With data: "fandy love yuyun"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
     
    Adds value: "CheckedValue"
    With data: "0"
    To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    Adds value:"Start Page"
    With data: "http://www.bendot.co.nr"
    To subkey: HKCU\Software\Microsoft\Internet Explorer\Main

Prevention


Alert level: Severe
First detected by definition: 1.85.1626.0
Latest detected by definition: 1.85.1626.0 and higher
First detected on: Jul 07, 2010
This entry was first published on: Aug 26, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Smalltroj.YHFI (Norman)
  • VBS/Worm.BA (AVG)
  • VBS/Yuyun.A (Avira)
  • Trojan.Script.257191 (BitDefender)
  • Win32.HLLW.Cantix (Dr.Web)
  • VBS/AutoRun.EY (ESET)
  • VBS.Yuyun (Ikarus)
  • VBS.Runauto (Symantec)
  • VBS_AGENT.AVKG (Trend Micro)