My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Cian.C@mm

HIGH
HIGH
16766 bytes (the original VBS file)
(VBS.Cian.C@mm (X97M), VBS.Cian.C@mm (W97M), I-Worm.Thery.b)

Symptoms

-The files "Winstart.vbs", "Wininst32.vbs", "Winnt32.vbs" and "Winnet32.vbs" are in system folder (C:\Windows\System or C:\Winnt\System32).
-The files "Netlnk32.vbs" and "Conversation.vbe" are in windows folder (C:\Windows or C:\Winnt).
-The registry key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winstart"
has the value "Wscript.exe \Winstart.vbs %1", where is C:\Windows\System or C:\Winnt\System32.

Removal instructions:

Automatic removal: let BitDefender disinfect/delete the files found infected.

Analyzed By

Mihaela Stoian BitDefender Virus Researcher

Technical Description:

The virus copies itself in system folder (C:\Windows\System or C:\Winnt\System32) as "Winstart.vbs", "Wininst32.vbs", "Winnt32.vbs" and "Winnet32.vbs" and in windows folder (C:\Windows or C:\Winnt) as "Netlnk32.vbs" and "Conversation.vbe".
It creates the registry key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winstart"
with the value "Wscript.exe \Winstart.vbs %1", where is C:\Windows\System or C:\Winnt\System32, in order to run the "Winstart.vbs" copy of the virus at every restart of the system.
It overwrites the file "personal.xls" in startup folder of Excel (for instance this path can be "C:\Windows\Application Data\Microsoft\Excel\Startup") in order to infect xls-files when they are opened.
It creates a temporary file "Evade.gif" (but not a real picture) in system folder (C:\Windows\System or C:\Winnt\System32) with malicious code to infect xls-files.
It overwrites the file "normal.dot" in template folder of Word (for instance this path can be "C:\Windows\Application Data\Microsoft\ Templates") in order to infect word documents at opening.
It creates a temporary file "Evade.jpg" (but not a real picture) in system folder (C:\Windows\System or C:\Winnt\System32) with malicious code to infect documents.
It copies itself as "Passwords.vbs" in the root of every drive of the system, except "C:\".
It adds his code to every ".vbs" or ".vbe" file, from every folder of every drive.
The virus overwrites, as a ".vbs" file, all the ".mp3", ".mp2", ".avi", ".mpg", ".mpeg", ".mpe", ".mov", ".pdf", ".doc", ".xls", ".mdb", ".ppt" and ".pps" files, within the folders:
"C:\Kazaa\My Shared Folder"
"C:\My Downloads"
"\Kazaa\My Shared Folder"
"\KaZaA Lite\My Shared Folder"
"\Bearshare\Shared"
"\Edonkey2000"
"\Morpheus\My Shared Folder"
"\Grokster\My Grokster"
"\ICQ\\Shared Files".
It overwrites the file "script.ini" from the mirc folder, in order to send a copy of itself ("Conversation.vbe" from windows folder) through mIRC.
The VBA-form of the virus infects all accessed word documents and excel workbooks. It modifies security levels for word and excel.
Infected documents spread themselves by e-mail with the subject:
-"Here is that file"
-"Important file"
-"The file"
-"Word file"
-"The file you wanted"
-"Here is the file" or
-the name of the infected document.
The body of the e-mail is:
"The file I am sending you is confidential as well as important; so don't let anyone else have a copy."
The attachment is the infected document itself.
Infected xls-file spread themselves by e-mail, with the subject:
"Here is that file"
"Important file"
"The file"
"Excel file"
"The file you wanted"
"Here is the file" or
the name of the infected xls-file.
The body of the e-mail is also:
"The file I am sending you is confidential as well as important; so don't let anyone else have a copy."
The attachment is the infected xls-file.