Win32.Cydog.C@mm( Win32/Kickin.A@mm / I-Worm.Cydog.c / W32.HLLW.Kickin.A@mm / WORM_CYDOG.C / Win32.HLLM.Cydog )
SYMPTOMS: CYBERWOLF.EXE KERNEL32.EXE API HOOKING-TUTORIAL.EXE Q30215HOTFIX.PIF FIXSQL.COM HOTMAIL HACKER.EXE LAST SUMMER.SCR MAGICAL-SCREENSAVER.SCR LOVE.SCR OUTWAR DEMO.EXE SOCCER DATABASE.EXE CHRISTINA AGUILERA-THE MOST BEAUTIFUL GIRL ON EARTH.SCR SADDAM-THE REAL PICS.SCR VIRTUAL JOKE.SCR SETUP.EXE MSNMSGS.EXE SARS-GUIDE.SCR FORMAT.COM MAPI32.DRV [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CyberWolf=\" %WINDOWS%\\CyberWolf.exe\"] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Kernel=\"%WINDOWS%\\System\\Kernel32.exe\"] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\System=\"%WINDOWS%\\System\\Kernel32.exe\"] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced \\Hidden=2] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ HideFileExt=1] [HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command=\" %WINDOWS%\\System\\kernel32.exe\"%1\"%*\"] where %WINDOWS% points to Windows folder, eg: C:\\Windows TECHNICAL DESCRIPTION: Win32.Cydog.C@mm is a mass-mailer that can spread through e-mail, kazaa and some other peer-to-peer programs and Mirc.It has its own SMTP engine and it will use the default smtp server found in registry as well as hardcoded values to send e-mails with itself as attachment. Once executed, the worm does the following: Creates a mutex called \"W32.Hllw.Cydog.D@mm by CyberWolf\" and also the events \"Die by Technology\" and \"CyberWolf\". Creates the aforementioned files and registry keys, with the \"hidden\" attribute set. It stays resident in memory, thus it will terminate when attempting to execute all processes named : \"Norton AntiVirus\" \"LiveUpdate\" \"System Configuration Utility\" \"Process Viewer\" \"Registry-Editor\" \"Windows Task Manager\" and will not allow execution of exe files whose name contain: NETSERVICES COMMAND SYSHELP RAVMOND WINRPC WINHELP WINGATE NPROTECT CLEANER WINDRIVER TASKMGR MSCONFIG REGEDIT ANTI-TROJAN BLACKICE ZONEALARM LOCKDOWNADVANCED NVC95 FP-WIN IOMON98 PCCWIN98 F-PROT F-STOPW IAMSERV.EXE NAVWNT NAVRUNR NAVLU32 NAVAPSVC VSMON.EXE SYMPROXYSVC RESCUE32 NISSERV VSECOMR VETTRAY TDS2-NT CCAPP.EXE SCAN32 PCFWALLICON NSCHED32 SPHINX.EXE FRW.EXE MCAFEE ATRACK PVIEW.EXE LUCOMSERVER LUALL.EXE NMAIN.EXE NAVW32 NAVAPW32 VSSTAT VSHWIN32 AVSYNMGR AVCONSOL WEBTRAP POP3TRAP PCCMAIN PCCIOMON ESAFE.EXE AVPM.EXE AVPCC.EXE AMON.EXE ALERTSVC ZAPRO.EXE AVP32 LOCKDOWN2000 AVP.EXE CFINET32 CFINET ICMON SAFEWEB WEBSCANX IAMAP It harvests e-mails by searching for files that match \"*.*ht*\" and \"*.*ml*\" in the default wab file, Internet Explorer cache, also by following the registry keys: [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Messenger Service\\ListCache\\MSN Messenger Service] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Messenger Service\\ListCache\\.NET Messenger Service] [HKEY_LOCAL_MACHINE\\Software\\Yahoo\\Pager\\profiles\\%version%\\IMVironments\\Recent] [HKEY_LOCAL_MACHINE\\Software\\Yahoo\\Pager\\profiles] [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WAB\\WAB4\\Wab File Name] [HKEY_LOCAL_MACHINE\\Software\\Mirabilis\\ICQ\\DefaultPrefs] It will attempt to place copies of itself under the next names: Virus Creation ToolKit-VX v7.1_create virii with this tool,Klez.H and Sircam has been created with version 6.exe WebAttack-DoS Tool.exe FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe Yahoo Remote Password Cracker Deluxe 2003.exe AIM Remote Password Cracker.exe Hotmail Exploiter 2003.exe XNuker 2003.exe Ultimate HackProg.exe Msn Messenger Remote Password Cracker 2003.exe Netbios hacker.exe Chaos Ip Spoof 2003.exe in the download folder of Kazaa, and in the next folders: C:\\Program Files\\Morpheus\\My Shared Folder C:\\Program Files\\Bearshare\\Shared C:\\Program Files\\Edonkey2000\\Incoming Mirc spreading: it drops script.ini file in Mirc folder and attemtps to send Magical-Screensaver.scr to all users in the current channel. It finds Mirc folder by following the registry key [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\mIRC] It has a payload, triggered on Monday on Wednesdays, by dropping two text files, \"CyberWolf.txt\" and \"Windows.l0g\" in Windows folder, containing messages from the author of the worm and if the day of the month is 30 it attempts to open 999,999 instances of Internet Explorer. After each infection, the internet worm will send the next e-mail to some AV companies: Subject: Hi,i\'m 100% sure i\'m infected! Body: mmm...if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm. For every infection this worm does,you\'ll receive an email like this. It has never been my intention to cause your mailbox any harm,nor mailbomb it. Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number... and will attempt to open several internet pages in the default internet browser. The infected e-mails look like this (bodies of the e-mails are not shown): From: \"Lovergirl@yahoo.com\" Subject: \"Fwd:Fwd:Fwd:Watch out for SARS!\" Attachment: \"SARS-Guide.scr\" ------------------------------------------------- From: \"Webmaster@planet-source-code.com\" Subject: \"Api Hooking Tutorial...\" Attachment: \"Api Hooking-Tutorial.exe\" ------------------------------------------------- From: \"Support@microsoft.com\" Subject: \"Windows Hotfix!\" Attachment \"Q30215HOTFIX.pif\" ------------------------------------------------- From: \"SecurityResponse@symantec.com\" Subject: \"Warning from Symantec.com\" Attachment: \"FixSql.com\" ------------------------------------------------- From: \"Admin@hackers.com\" Subject: \"u wanted to hack?\" Attachment: \"Hotmail Hacker.exe\" ------------------------------------------------- From: \"Lovergirl963@hotmail.com\" Subject: \"Do you remember last summer?\" Attachment: \"Last Summer.scr\" ------------------------------------------------- From: \"Lovergirl33@hotmail.com\" Subject: \"Fwd:Fwd:Fwd:Sit back and be surprised...\" Attachment: \"Magical-Screensaver.scr\" ------------------------------------------------- From: \"Admin@screensavers.com\" Subject: \"The Magical screensaver\" Attchment: \"Magical-Screensaver.scr\" ------------------------------------------------- From: \"Webmaster@Loveforlife.com\" Subject: \"Feel the reason why we fall in love...\" Attachment: \"Love.scr\" ------------------------------------------------- From: \"Webmaster@Outwar.com\" Subject: \"Outwar is proud to present you:Outwar InterActive\" Attachment: \"OutWar Demo.exe\" ------------------------------------------------- From: \"Soccerfan@yahoo.com\" Subject: \"Fwd:Fwd:Fwd:Soccer...\" Attachment: \"Soccer Database.exe\" ------------------------------------------------- From: \"Webmaster@beautifulgirls\" Subject: \"Christina Aguilera:The most beautiful girl on earth\" Attachment: \"Christina Aguilera-The most beautiful girl on earth.scr\" ------------------------------------------------- From: \"webmaster@screensavers.com\" Subject: \"Saddam alive and kickin\'\" Attachment: \"Saddam-the real pics.scr\" ------------------------------------------------- From: \"Admin@jokes.com\" Subject: \"The Virtual Joke...\" Attachment: \"Virtual Joke.scr\" ------------------------------------------------- From: \"flipbabe@hotmail.com\" Subject: \"Fwd:Fwd:Whats really happening in bagdad\" Attachment: \"Saddam-the real pics.scr\" ------------------------------------------------- From: \"mailinglist@Msn.com\" Subject: \"Get the new Msn 5.1!\" Attachment: \"MsnMsgs.exe\" ------------------------------------------------- From: \"nice_girl21@hotmail.com\" Subject: \"Fwd:How to protect yourself against SARS\" Attachemnt: \"SARS-Guide.scr\" Removal instructions: manual removal: first, copy and paste the next lines into a file called REMOVE.REGREGEDIT 4 [-HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CyberWolf] [-HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Kernel] [-HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\System] [HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command=\"%1\" %*] execute it, and then delete all aforementioned files. automatic removal: let BitDefender delete/disinfect files found infected. ANALYZED BY: Patrick VicolBitDefender Virus Researcher |
