Worm:VBS/Cantix.A is a worm written in VB Script that spreads via removable drives.
Installation
When executed, the worm copies itself to the following location:
%system32%\<random>.tmp
and launches that copy. The worm also copies itself to these locations:
C:\dekstop.ini
%my documents%\df5srvc.bfe
Note: The malware attempts to copy itself to an NTFS (New Technology File System) alternate data stream:
%windows%\:microsoft office update for windows xp.sys
The worm may also create several shortcut files named after a directory, for example:
C:\Documents and Settings.lnk
This points to a copy of the malware, for example:
C:\dekstop.ini
The worm also sets the following registry entries to ensure execution at each Windows start:
Adds value: "Df5serv"
With data: "wscript.exe //e:vbscript "c:\documents and settings\administrator\my documents\df5srvc.bfe""
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "WinUpdate"
With data: "wscript.exe //e:vbscript "%windir%\:microsoft office update for windows xp.sys""
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The malware also sets the following registry entries in an attempt to ensure its survival:
Adds value: "DisableRegistrytools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: "WarningIfNotDefault"
With data: "fandy love yuyun"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Spreads via…
Removable drives
The worm enumerates drives checking for removable drives, if found, the malware makes a copy of itself as:
<Drive>:\dekstop.ini
Worm:VBS/Cantix.A then writes an autorun configuration file named 'autorun.inf' pointing to the file listed above. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
The worm also copies itself to the following location:
%appdata%\microsoft\cd burning\dekstop.ini
%appdata%\microsoft\cd burning\autorun.inf
Payload
Changes start page
The malware modifies the following registry entry to change the start page for the browser:
Adds value:"Start Page"
With data: "http://www.bendot.co.nr"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Prints a text message
The malware writes a text file to the following location:
%system32%\v.doc
On the first day of the following months:
January
April
July
October
The malware sends the text to the printer using the following command:
notepad.exe /p %system32%\v.doc
The contents of the text document is as follows:
Orang Bodoh Cari Jodoh
Dahulu terasa indah
Tak ada yang mau dan menginginkan aku
Karna cuma diriku yang tak laku-laku
Tiada yang salah
Hanya aku manusia bodoh
Yang biarkan semua ini permainkanku
Berulang ulang ulang kali
Pengumuman-pengumuman
Siapa yang mau bantu
Tolong aku kasihani aku
Tolong carikan diriku kekasih hatiku
Siapa yang mau
Mencoba bertahan sekuat hati
Layaknya karang yang
Dihempas sang ombak
Jalani hidup dalam buai belaka
Serahkan cinta tulus di dalam takdir
Hanya kepedihan
Yang s'lalu datang menertawakanku
Engkau belahan jiwa
Tega menari indah di atas tangisanku
Tapi sampai kapankah ku harus
Menanggungnya kutukan cinta ini
Bersemayam dalam kalbu
Analysis by Ray Roberts