How to register | Panda Worldwide

About Panda Security

Buy Antivirus

INFORMATION - Security - Antivirus - TOOLS - PANDA SECURITY

Panda Security » Antivirus Software » Security Information » Encyclopedia

Encyclopedia

Panda Internet Security 2010

Full protectión for complete peace of mind on the Internet.

BUY with 20% OFF	DOWNLOAD FREE*
* Includes 3 months' services FREE

Trixcu.A
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Trixcu.A carries out the following actions:

When it is run, the following error message is displayed:
It disables the following functions:
- Find of the Start menu.
- Folder options of the Start menu.
- the Task Manager.
- the Windows Registry Editor.
- the CMD shell.
It hides the extensions of the files, and the files and subfolders that have the attribute hidden, in order to go unnoticed.
It turns the computer off once it has carried out all the changes in the system, by running the following command:
shutdown.exe -s -f -t 1

Infection strategy

Trixcu.A creates the following files, which are copies of itself:

CMD.COM, DXDIAG.COM, FLASH.10.EXE, JAMBANMU.COM, MSCONFIG.COM, PING.COM and REGEDIT.COM, in the Windows system directory.
MY SECRET.FOLD, in the subfolder My Documents of the Documents and Settings directory of the user that has logged in.
NEW SONG.LAGU and NEW VIDEO.VIDZ, in the subfolder My Documents\My Music of the Documents and Settings directory of the user that has logged in.
AWEKS.PIKZ y SERAM.PIKZ, in the subfolder My Documents\My Pictures of the Documents and Settings directory of the user that has logged in.
MACROMEDIA.10.EXE, in the subfolder Common Files\Microsoft Shared of the Program Files directory.
MSN.MSN, in the subfolder Common Files\Microsoft Shared\DAO of the Program Files directory.
(EMPTY).EMPTY, in the Startup directory. This way, Trixcu.A ensures that it is run whenever Windows is started.

Trixcu.A deletes the programs that are located in the Startup directory. This way, all the programs of this directory will not be run whenever Windows is started.

Trixcu.A creates the following entries in the Windows Registry:

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Windows MSN = C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
By creating this entry, Trixcu.A ensures that it is run whenever Windows is started.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 01, 00, 00, 00
It disables the option Find of the Start menu.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions = 01, 00, 00, 00
It disables the option Folder Options of the Start menu.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ DisableRegistryTools = 01, 00, 00, 00
It doesn't allow the Windows Registry Editor to be run.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System DisableCMD = 01, 00, 00, 00
It doesn't allow the CMD shell to be run.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 01, 00, 00, 00
It prevents the Task Manager from being run.
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ Date
(Default) = 070617
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgDate
(Default) = 070701
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgMkr
(Default) = 0
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK AZAM
(Default) = THIS GUY SHIT HEAD!!BIG LIER!!FUCKING GAY!!
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK DZULKIFLI
(Default) = THIS GUY PIG HEAD!!!!U FUCKED EVERYBODY!!
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK ZAWAWI
(Default) = THIS GUY DICK HEAD!!!NOBODY LIKES U!!!

Trixcu.A modifies the following entries from the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe %sysdir%\JambanMu.com
where %sysdir% is the Windows system directory.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load = Flash.10.exe
By modifying these entries, Trixcu.A ensures that it is run whenever Windows is started.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 00, 00, 00, 00
By modifying this entry, Trixcu.A hides the files and subfolders that have the attribute hidden.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 01, 00, 00, 00
By modifying this entry, Trixcu.A hides the extensions of the files.
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 00, 00, 00, 00

Additionally, Trixcu.A attempts to modify the following entries from the Windows Registry:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = %name with which the system is registered%
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = JambanMuV2
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = %name of the organization with which the system is registered%
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = HELP ME!!.html
By modifying these entries, Trixcu.A changes the names with which the operating system and the organization are registered.

Means of transmission

Trixcu.A reaches the computer in a file that has the icon of a flash file:

Icon with which Trixcu.A reaches the computer

Trixcu.A spreads via mapped drives. In order to do so, it checks if the infected computer is connected to a network.

If so, it makes an inventory of all mapped drives and creates a copy of itself in each of them.

Further Details

Trixcu.A is written in the programming language Visual Basic v5. This worm is 57,344 bytes in size.

Additionally, the file HELP ME!.HTML contains the following website:

Website that belongs to the file HELP ME!.HTML

Last updated: 13/11/2007

Virus News

Help your friends against viruses: share, save and subscribe to our security content. Thank you.

Fake virus alert spreads massively across Facebook, reports PandaLabs

Panda Security, leading Spanish software vendor in the 2009 Truffle 100 Europe i...

PandaLabs Annual Malware Report: 2009 sets new records for malware creation: 25 ...

[+ Noticias]

RSS - News coverage on virus and intrusion prevention | TWITTER - PANDA SECURITY

Our Cloud Twitter | Web Map | Contact | Affiliates