Trojan:JS/Agent.JP

During installation, the malware creates a decrypted copy of itself as %temp% \[Random].tmp. This file is detected as Worm.VBS.Agent.w. It then executes this decrypted copy, using the following command:

• WScript.exe /e:VBScript %temp%\[Random].tmp "Q"

Next, the malware creates the following files:

• %temp%\Yuyun.Q
• %temp%\auto.exe

The first file contains zero bytes. The file %temp%\auto.exe is actually the autorun file for the decrypted copy of the malware, and it is this particular file that is detected as Trojan:JS/Agent.JP.The malware attempts to create a copy of itself in the following Alternate Data Stream file:

• %WinDir%:Microsoft Office Update for Windows XP.sys

It also creates a copy of itself in the following folder:

• %MyDocuments%\database.mdb

Propagation

This malware is capable of propagating through infected CD ROM discs. To do so, the malware creates the following files:

• %ApplicationData%\Microsoft\CD Burning\thumb.db
• %ApplicationData%\Microsoft\CD Burning\autorun.inf

The first file is also detected as Trojan:JS/Agent.JP, while the second file is the autorun file for the first. Subsequently, all CDs burned on the infected system will be contaminated with these files.The file %ApplicationData%\Microsoft\CD Burning\autorun.inf contains the following data:

This same data is also present in the %temp%\auto.exe file.

Registry

The malware makes a number of modifications to the registry to facilitate its propagation. Some interesting changes it makes include disabling the Registry Editor by creating the following registry entries:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemDisableRegistrytools
  = dword:00000001

Also, the malware checks whether the day of the month is "1"; if so, it creates the following registries:

• HKCR\CLSID\{11111111-2222-3333-4444-555555555555}(Default) = "Yuyun_Cantix"
• HKCR\CLSID\{11111111-2222-3333-4444-555555555555}\DefaultIcon(Default) = "shell32.dll,48"
• HKCR\CLSID\{11111111-2222-3333-4444-555555555555}\ShellFolderAttributes = dword:00000000
• HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Desktop\NameSpace\{11111111-2222-3333-4444-555555555555}

And then creates the following file:

• %temp%\v.doc

Note: v.doc is normal file.

Activation

The malware checks whether the date is April 1; if so, it runs the file %temp%\v.doc, using the following command three times:

• notepad.exe /p %temp%\v.doc

The command allows the malware to print the file under notepad.exe process. The printed file should look like this:

The malware then takes a number of actions involving:

• All found drives
• Folders under that drive
  • %MyDocuments%
  • Folders under %MyDocuments%,
  • %MyNetworkPlaces% shares
• Folders under %MyNetworkPlaces% shares

First, it drops the following files to these locations:

• thumb.db
• autorun.inf
• Microsoft.lnk

Notes: thumb.db is a copy of the malware; autorun.inf is the malware's autorun file; Microsoft.lnk is a shortcut link to "[drive]:\thumb.db".The shortcut file link text is named after the folder name.If the date is April 1, it also drops:

• A copy of %temp%\v.doc
• Baca AQ.rtf
• My name is Yuyun.rtf

It may also create one of the following shortcut file links "[drive]:\thumb.db" to these locations:

• New Harry Potter and....lnk
• New Folder.lnk
• SuratQ.lnkv
• Rahasia.lnk
• Game.lnk
• Zvnita.lnk
• Download.lnk
• DataQ.lnk

Registry Modifications

Creates these keys:

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunExplorer = Wscript.exe //e:VBScript
  "%MyDocuments%\database.mdb"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• WinUpdate = Wscript.exe //e:VBScript "%WinDir%:Microsoft Office Update for Windows XP.sys"

Deletes these keys:

• HKCR\lnkfile\IsShortcut