W32/VB-CXI

Please follow the instructions for removing worms.

W32/VB-CXI is a worm for the Windows platform.

W32/VB-CXI attempts to copy itself to network shares and storage devices using the names MSconfig.exe, boot.exe and New Folder.exe. In order to run automatically, W32/VB-CXI copies itself to the startup folder of network shares, and drops a clean file autorun.inf to storage devices.

W32/VB-CXI includes functionality to download, install and run new software.

When first run W32/VB-CXI copies itself to:

<Windows>\lsass.exe
<System>\lsass.exe

The following registry entries are changed to run lsass.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <System>\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,<System>\lsass.exe

W32/VB-CXI changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

Registry entries are created under:

HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz