HOME > VIRUS ALERTS


VIRUS ALERTS

Worm Tixcet.A

Original issue date: June 24, 2008

It has been observed that a Worm named Tixcet.A is circulating widely.The worm reaches the computer in a file that has the icon of a Word document, to trick users into thinking that the files are genuine.

When run, it creates several copies of itself on the infected system and keys in the Windows registry .It deletes files with several extensions and replaces them with a copy of itself keeping the same name as the original files. Among the affected extensions are :

  • Office files (. DOC,. XLS,. PPT,. MDB,. PDF and. XML)
  • Multimedia files (. MP3, .3 GP,. DAT,. MOV and. WAV)
  • Image files (. JPG,. BMP and. GIF)
  • Executable files (. BAT,. COM and. SCR)
  • ZIP and RAR archives

Alias: W32/Tixcet.A.worm

Upon execution, the Worm:

  • Restarts the computer.
  • Adds the word CETix to the notification area.
  • Whenever any directory is accessed, the worm creates a copy of itself with the same name as the directory that has been accessed. Then it deletes all the files it finds in that directory and creates a copy of itself with the name of the original file and an .EXE extension. Also, the next time that directory is accessed, if any of the files located there is selected, the worm will create again a copy of itself.
  • Does not allow files to be copied, as it disables the option Paste when the file is going to be copied. When a content is selected to be copied, what is really copied is not the selected content but the following text:
    Hello ! My Name is CETiX, nice to meet you
  • Prevents the Task Manager , Windows Registry Editor , Command shell from being run.
  • Ends the processes whose window title contains any of the following text strings:
    ANVIECLAZZ , BITDEF , CabinetWClass , DETEC , ExploreWClass, , GRISOFT , HIJACK , KASPER , NORMAN , NORTON , PROCEXPL , SETUP , SYSINTER, WINDOWS.
  • When it detects certain monitoring or detection tools and the Windows Explorer is active, it replaces the window title with the text “ CETiX: Don't Kill Me Please...! My name is CETiX, Nice to meet you...”
  • It modifies the characteristics of the system properties by changing the name with which the system has been registered to CETIX BALi
  • Drops the following files :
    • FILES.EXE , UNTITLED.EXE , ADMINISTRADOR.EXE , CETIX.EXE and XZ.EXE , in the root directory of the
      C: drive.
    • CETIX.EXE and RACUN.EXE , in the Windows directory.
    • POISON.EXE and TOXIC.EXE , in the Windows system directory.
    • VSERVE.EXE , in the Startup directory.
    • ABOUTCETIX.HTML , in the root directory of the C: drive and in the Desktop and INFOBALI.TXT , in the root directory of the C: drive:
  • Creates following registry entry to ensure its run whenever Windows is started :
    • HKEY_CURRENT_USER\Software\Microsoft\
      Windows\ CurrentVersion\Run [ Poison/ Cetix ] =
      [ %sysdir%\poison.exe / %windir%\cetix.exe ]
    • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
      Windows NT\ CurrentVersion\ Winlogon
      Shell = explorer.exe %sysdir%\poison.exe
    • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
      Windows NT\ CurrentVersion\ Winlogon
      Userinit = %sysdir%\userinit.exe,%sysdir%\poison.exe,
  • By creating these entries it ensures that it is run though the system is restarted in safe mode :
    • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001
      (orControlSet002 or CurrentControlSet) \ Control\ SafeBoot
      AlternateShell = %windir%\cetix.exe
  • Changes the system properties referring to organization and the user name to which the operating system is registered by modifying the registry values:
    • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
      Windows NT\ CurrentVersion
      RegisteredOrganization = CETiX BALi
    • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\
      Windows NT\ CurrentVersion
      RegisteredOwner = XZ
  • By this two modifications, it adds the word CETIX to the Notification area:
    • HKEY_CURRENT_USER\ Control Panel\ International
      s1159 = AM | CETiX
    • HKEY_CURRENT_USER\ Control Panel\ International
      s2359 = PM | CETiX
  • By modifying these entries, whenever a file with a BAT , COM , EXE , PIF and LNK extension, not only the file will be run, but also Tixcet.A :
    • HKEY_CLASSES_ROOT\ batfile( or comfile or exefile
      or piffile or lnkfile)\ shell\ open\ command
      (Default) = %sysdir%\toxic.exe "%1"%*
  • Hides the files and folders ,file extensions and system files with hidden attributes by modifying:
    • HKEY_CURRENT_USER\ Software\ Microsoft\
      Windows\ CurrentVersion\ Explorer\ Advanced
      SuperHidden = 00, 00, 00, 00
    • HKEY_CURRENT_USER\ Software\ Microsoft\
      Windows\ CurrentVersion\ Explorer\ Advanced
      HideFileExt = 01, 00, 00, 00
    • HKEY_CURRENT_USER\ Software\ Microsoft\
      Windows\ CurrentVersion\ Explorer\ Advanced
      ShowSuperHidden = 00, 00, 00, 00

REMOVAL

  • Temporarily Disable System Restore
  • Update the virus definitions.
  • Reboot computer in SafeMode
  • Run a full system scan and clean/delete all infected file(s)
  • Delete/Modify any values added to the registry.

In view of rapid propagation of the Tixcet.A Worm, users are advised to implement the following countermeasures:

  • Exercise caution while opening e-mail attachments received from unknown sources.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures .

 References

http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=det&idvirus=193879
http://pandalabs.pandasecurity.com/archive/Be-careful
-with-Tixcet.A.aspx

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003