Effects Tixcet.A is a worm that makes copies of itself in all the system. In order to do so, it follows the routine below: - Whenever any directory is accessed, it creates a copy of itself with the same name as the directory that has been accessed.
- Then, it deletes all the files it finds in that directory and creates a copy of itself with the name of the original file and an .EXE extension.
- Additionally, the next time that directory is accessed, if any of the files located there is selected, the worm will create again a copy of itself.
- The affected extensions are the following:
- Office files: .DOC, .XLS, .PPT, .MDB, .PDF and .XML.
- multimedia files: .MP3, .3GP, .DAT, .MOV and .WAV.
- compression files: .ZIP and .RAR.
- image files: .JPG, .BMP and .GIF.
- executable files: .BAT, .COM and .SCR.
Any file with any of the previously mentioned extensions will be deleted by the worm.
Additionally, it carries out the following actions: - When it is run, the computer is restarted.
- It adds the word CETIX to the Notification area, as can be seen in the following image:
 - It does not allow files to be copied, as it disables the option Paste when the file is going to be copied.
- When a content is selected to be copied, what is really copied is not the selected content but the following text:
Hello ! My Name is CETiX, nice to meet you... - It prevents the following applications from being run, among others:
- Task Manager.
- Windows Registry Editor.
- Command shell (CMD). - It ends the processes whose window title contains any of the following text strings:
ANVIECLAZZ
BITDEF
CabinetWClass
DETEC
ExploreWClass
GRISOFT
HIJACK
KASPER
NORMAN
NORTON
PROCEXPL
SETUP
SYSINTER
WINDOWS
This way, it makes its detection more difficult, as these processes belong to several security and detection tools. - When it detects certain monitoring or detection tools and the Windows Explorer is active, it replaces the window title with the text CETiX: Don't Kill Me Please...! My name is CETiX, Nice to meet you..., as can be seen in the following image:
 - It modifies the characteristics of the system properties:
In order to understand better some of the actions carried out by Tixcet.A, an explanatory video is at your disposal. Infection strategy Tixcet.A creates the following files, which are copies of the worm: - FILES.EXE, UNTITLED.EXE, ADMINISTRADOR.EXE, CETIX.EXE and XZ.EXE, in the root directory of the C: drive.
- CETIX.EXE and RACUN.EXE, in the Windows directory.
- POISON.EXE and TOXIC.EXE, in the Windows system directory.
- VSERVE.EXE, in the Startup directory. This way, it ensures that it is run whenever Windows is started.
Additionally, it creates an AUTORUN.INF file in the root directory of the C: drive. This way, it would be run whenever this directory is accessed. Tixcet.A creates the following entries in the Windows Registry: - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Poison = %sysdir%\poison.exe
where %sysdir% is the Windows system directory. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Cetix = %windir%\cetix.exe
where %windir% is the Windows directory.
By creating these entries, Tixcet.A ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Control\ SafeBoot
AlternateShell = %windir%\cetix.exe - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet002\ Control\ SafeBoot
AlternateShell = %windir%\cetix.exe - HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SafeBoot
AlternateShell = %windir%\cetix.exe
By creating these entries, Tixcet.A ensures that it is run though the system is restarted in safe mode.
Tixcet.A modifies the following entries from the Windows Registry: - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = explorer.exe %sysdir%\poison.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Userinit = %sysdir%\userinit.exe,
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Userinit = %sysdir%\userinit.exe,%sysdir%\poison.exe,
By modifying these entries, Tixcet.A ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = CETiX BALi - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = XZ
By modifying these three entries, it changes the system properties referring to organization and the user name to which the operating system is registered. - HKEY_CURRENT_USER\ Control Panel\ International
It changes this entry to:
HKEY_CURRENT_USER\ Control Panel\ International
s1159 = AM | CETiX - HKEY_CURRENT_USER\ Control Panel\ International
It changes this entry to:
HKEY_CURRENT_USER\ Control Panel\ International
s2359 = PM | CETiX
By these two modifications, it adds the word CETIX to the Notification area.
Additionally, Tixcet.A modifies the following entries from the Windows Registry: - HKEY_CLASSES_ROOT\ batfile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ batfile\ shell\ open\ command
(Default) = %sysdir%\toxic.exe "%1"%* - HKEY_CLASSES_ROOT\ comfile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ comfile\ shell\ open\ command
(Default) = %sysdir%\toxic.exe "%1"%* - HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
(Default) = %sysdir%\toxic.exe "%1"%* - HKEY_CLASSES_ROOT\ piffile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ piffile\ shell\ open\ command
(Default) = %sysdir%\toxic.exe "%1"%* - HKEY_CLASSES_ROOT\ lnkfile\ shell\ open\ command
(Default) = "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ lnkfile\ shell\ open\ command
(Default) = %sysdir%\toxic.exe "%1"%*
By modifying these entries, whenever a file with a BAT, COM, EXE, PIF and LNK extension, not only the file will be run, but also Tixcet.A.
Finally, it modifies these entries from the Windows Registry, in order to make its detection more difficult: - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
SuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
SuperHidden = 00, 00, 00, 00
It hides the files and folders with hidden attributes. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 01, 00, 00, 00
It hides the extension of the files. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 00, 00, 00, 00
It hides the files of the operating system.
Means of transmission Tixcet.A reaches the computer in a file that has the icon of a Word document, in order to deceive users making them think it is an inoffensive file:
 Additionally, it spreads making copies of itself in all the system. Whenever a directory is accessed, it creates a copy of itself with the same name as the directory. Then, it deletes the files it finds in that directory and creates copies of itself with an .EXE extension keeping the name of the original file. Further Details Tixcet.A is written in the programming language Visual Basic v5.0. This worm is 46,080 bytes in size and it is compressed with UPX. Additionally, it creates the following files, which make reference to its author, as an infection mark: - ABOUTCETIX.HTML, in the root directory of the C: drive and in the Desktop:
 - INFOBALI.TXT, in the root directory of the C: drive:
|