Trixcu.A worm
Trixcu.A worm have been spreading through removable drives and I have been receiving a lot of queries regarding this worms.
Trixcu.A creates the following files, which copies itself when it’s run by opening the removable drives infected with the worm.
- Trixcu.A creates the following files in the Windows system directory (C:\Windows\System32),:
- Cmd.com
- Dxdiag.com
- Flash.10.exe
- JambanMu.com
- Msconfig.com
- Ping.com
- Regedit.com - Trixcu.A create the following file in C:\Program Files\Common Files\Microsoft Shared
- Macromedia.10.exe - Trixcu.A create the following file in C:\Program Files\Common Files\Microsoft Shared\DAO
- Msn.msn - Trixcu.A create the following file in C:\Documents and Settings\(User)\Start Menu\Programs\Startup
- (Empty).empty - Trixcu.A will delete all the programs in the Startup directory to disable those programs to run whenever Windows is started.
- Trixcu.A create the following Folder:
- MY.SECRET.FOLD in My Documents
- NEW SONG.LAGU and NEW VIDEO.VIDZ in My Document\My Music
- AWEKS.PIKZ and SERAM.PIKZ in My Documents\My Pictures
Trixcu.A create the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
Windows MSN = C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
By creating this entry, Trixcu.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 01, 00, 00, 00
It disables the option Find of the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions = 01, 00, 00, 00
It disables the option Folder Options of the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ DisableRegistryTools = 01, 00, 00, 00
It doesn’t allow the Windows Registry Editor to be run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System DisableCMD = 01, 00, 00, 00
It doesn’t allow the CMD shell to be run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 01, 00, 00, 00
It prevents the Task Manager from being run. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ Date
(Default) = 070617 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgDate
(Default) = 070701 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgMkr
(Default) = 0 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK AZAM
(Default) = THIS GUY SHIT HEAD!!BIG LIER!!FUCKING GAY!! - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK DZULKIFLI
(Default) = THIS GUY PIG HEAD!!!!U FUCKED EVERYBODY!! - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK ZAWAWI
(Default) = THIS GUY DICK HEAD!!!NOBODY LIKES U!!!
Trixcu.A modifies the following registry entries
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
Shell = Explorer.exe %sysdir%\JambanMu.com
where %sysdir% is the Windows system directory. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load = Flash.10.exe
By modifying these entries, Trixcu.A ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
Hidden = 00, 00, 00, 00
By modifying this entry, Trixcu.A hides the files and subfolders that have the attribute hidden. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 00, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
HideFileExt = 01, 00, 00, 00
By modifying this entry, Trixcu.A hides the extensions of the files. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = %name with which the system is registered%
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = JambanMuV2 - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = %name of the organization with which the system is registered%
It changes this entry to:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = HELP ME!!.html
By modifying these entries, Trixcu.A changes the names with which the operating system and the organization are registered.
Trixcu.A created files can be remove manually or automatically by most of Antivirus, just make sure you update your virus definition files. The registry entry have to be remove manually though.
About the Author
Faizi has written 139 entries on Solving bad experience with Computer.
One Comment on “Trixcu.A worm”
Trackbacks
Leave some feedback if you please
Solving bad experience with Computer support's Gravatars. Gravatars are small images that can show your personality. You can get yours for free at http://www.gravatar.com