Effects Trixcu.A carries out the following actions: - When it is run, the following error message is displayed:
 - It disables the following functions:
- Find of the Start menu.
- Folder options of the Start menu.
- the Task Manager.
- the Windows Registry Editor.
- the CMD shell. - It hides the extensions of the files, and the files and subfolders that have the attribute hidden, in order to go unnoticed.
- It turns the computer off once it has carried out all the changes in the system, by running the following command:
shutdown.exe -s -f -t 1
Infection strategy Trixcu.A creates the following files, which are copies of itself: - CMD.COM, DXDIAG.COM, FLASH.10.EXE, JAMBANMU.COM, MSCONFIG.COM, PING.COM and REGEDIT.COM, in the Windows system directory.
- MY SECRET.FOLD, in the subfolder My Documents of the Documents and Settings directory of the user that has logged in.
- NEW SONG.LAGU and NEW VIDEO.VIDZ, in the subfolder My Documents\My Music of the Documents and Settings directory of the user that has logged in.
- AWEKS.PIKZ y SERAM.PIKZ, in the subfolder My Documents\My Pictures of the Documents and Settings directory of the user that has logged in.
- MACROMEDIA.10.EXE, in the subfolder Common Files\Microsoft Shared of the Program Files directory.
- MSN.MSN, in the subfolder Common Files\Microsoft Shared\DAO of the Program Files directory.
- (EMPTY).EMPTY, in the Startup directory. This way, Trixcu.A ensures that it is run whenever Windows is started.
Trixcu.A deletes the programs that are located in the Startup directory. This way, all the programs of this directory will not be run whenever Windows is started. Trixcu.A creates the following entries in the Windows Registry: - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Windows MSN = C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
By creating this entry, Trixcu.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 01, 00, 00, 00
It disables the option Find of the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions = 01, 00, 00, 00
It disables the option Folder Options of the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ DisableRegistryTools = 01, 00, 00, 00
It doesn't allow the Windows Registry Editor to be run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System DisableCMD = 01, 00, 00, 00
It doesn't allow the CMD shell to be run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 01, 00, 00, 00
It prevents the Task Manager from being run. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ Date
(Default) = 070617 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgDate
(Default) = 070701 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgMkr
(Default) = 0 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK AZAM
(Default) = THIS GUY SHIT HEAD!!BIG LIER!!FUCKING GAY!! - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK DZULKIFLI
(Default) = THIS GUY PIG HEAD!!!!U FUCKED EVERYBODY!! - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK ZAWAWI
(Default) = THIS GUY DICK HEAD!!!NOBODY LIKES U!!!
Trixcu.A modifies the following entries from the Windows Registry: - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe %sysdir%\JambanMu.com
where %sysdir% is the Windows system directory. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load = Flash.10.exe
By modifying these entries, Trixcu.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 00, 00, 00, 00
By modifying this entry, Trixcu.A hides the files and subfolders that have the attribute hidden. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 01, 00, 00, 00
By modifying this entry, Trixcu.A hides the extensions of the files. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 00, 00, 00, 00
Additionally, Trixcu.A attempts to modify the following entries from the Windows Registry: - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = %name with which the system is registered%
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = JambanMuV2 - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = %name of the organization with which the system is registered%
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = HELP ME!!.html
By modifying these entries, Trixcu.A changes the names with which the operating system and the organization are registered.
Means of transmission Trixcu.A reaches the computer in a file that has the icon of a flash file:
 Trixcu.A spreads via mapped drives. In order to do so, it checks if the infected computer is connected to a network. If so, it makes an inventory of all mapped drives and creates a copy of itself in each of them. Further Details Trixcu.A is written in the programming language Visual Basic v5. This worm is 57,344 bytes in size. Additionally, the file HELP ME!.HTML contains the following website:
 |