W32/VB-CXI is a worm for the Windows platform.
W32/VB-CXI attempts to copy itself to network shares and storage devices using the names MSconfig.exe, boot.exe and New Folder.exe. In order to run automatically, W32/VB-CXI copies itself to the startup folder of network shares, and drops a clean file autorun.inf to storage devices.
W32/VB-CXI includes functionality to download, install and run new software.
When first run W32/VB-CXI copies itself to:
<Windows>\lsass.exe
<System>\lsass.exe
The following registry entries are changed to run lsass.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <System>\lsass.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,<System>\lsass.exe
W32/VB-CXI changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
Registry entries are created under:
HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz