My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Cycle.A

MEDIUM
LOW
10240 bytes

Symptoms

The worm will not run on Windows 95/98/Me.

- file cyclone.txt in the Windows folder;
- file svchost.exe in the "system" subfolder of the Windows folder (this is different from the System subfolder, which is called "system32" and where a legitimate system file called "svchost.exe" exists);
- the registry entry HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service.

Removal instructions:

Manual removal:
Terminate the worm (or you can try restarting in Safe Mode), delete the files, the registry entries and the service described in the Symptoms section.

You should also install the patch recommended in the Microsoft Security Bulletin MS04-011 or use the workarounds described there.

Automatic removal:
Let BitDefender delete infected files.

Analyzed By

BitDefender Virus Research Team

Technical Description:

This worm exploits the LSASS vulnerability (like the Sasser worms) described in Microsoft Security Bulletin MS04-011. It attempts to prevent other worms (Sasser and Blaster) from running. It was written with Visual C++ and packed with a modified version of UPX.

It infects a target by sending exploit packet to the LSA (Local Security Authority) RPC (Remote Procedure Call) service; this service accepts communications on a protocol running on top of the SMB (Server Message Block) protocol; SMB used to run on ports 137 and 139 over NetBIOS over TCP, but starting from Windows 2000 it can also run directly on TCP port 445. The virus attempts to send the exploit packets to this port (445).

The infected machine will open an unprotected shell on a random TCP port (set up by the attacker) between 1200 and 4199. It will receive two commands, to download the virus from the attacking machine's TFTP server (UDP port 69) as "cyclone.exe" and to run it.

Once run, the virus creates a text file "cyclone.txt" in the Windows folder containing the author's message.

It copies itself as "svchost.exe" in the "system" subfolder of the Windows folder; it creates a service called "Host Service" that runs this copy or (if that fails) the registry entries HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Generic Host Service.

It creates the mutexes "Jobaka3", "JumpallsNlsTillt", "SkynetSasserVersionWithPingFast" in order to prevent some versions of the Sasser worm from running; it also attempts to stop the execution of processes called "msblast.exe", "avserve.exe", "avserve2.exe", "skynetave.exe" (belonging to the Blaster and Sasser worms).

It creates a TFTP server on UDP port 69; if another application is already acting as a server on that port, it is terminated (and the subroutine for terminating "msblast.exe", "avserve.exe", "avserve2.exe", "skynetave.exe" is called again). When a client connects to the server and requests a file, it is given a copy of the worm (this is used to upload the virus to the machines that it infects).

A thread is created that will attempt to exploit any machines that connect to the local machine's 445 TCP port, unless they are accepting connections on their 3332 TCP port. Another thread will create a TCP server on port 3332 that simply accepts and disregards all connections. (This is used to avoid infecting already infected machines).

Another thread is created to actively infect other machines. It checks for an Internet connection by using the InternetGetConnectedState API and by ICMP pinging the hosts b.root-servers.net (both by name and by its IP: 192.228.79.201) and c.root-servers.net. The loop will choose a range of IP's close to the non-private IP of the local machine in 20% of cases (close = the first two bytes match, the third is random) and a random range of IP's in the other 80% of cases (random = first three bytes are random). The virus attempts to infect all IP's in the selected range in a loop that increments the last byte of the IP from 0 to 254; on a successful infection, the virus increments the third byte of the IP address. No more than 150 successful infections are performed.

Active attempts to infect new hosts are done by running new copies of the infection thread; no more than 1000 copies of this thread are allowed to run.

If the current date is before May 1st or after May 12th, another thread will be created to flood some sites. The worm's first choice is www.irna.com (if reachable by TCP connection and in 97% of the other cases), otherwise www.bbc.com is targeted. If the raw connection to the targeted site is not successful, the worm attempts to connect to www.bbcnews.com or www.isna.com; if this doesn't work either, the worm broadcasts its flood packets.

Many of the worm's subroutines contain calls to the AbortSystemShutdown API in an attempt to avoid machine restart due to failure of the vital service LSASS.