My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Cydog.C@mm

LOW
LOW
249,856 bytes
(Win32/Kickin.A@mm / I-Worm.Cydog.c / W32.HLLW.Kickin.A@mm / WORM_CYDOG.C / Win32.HLLM.Cydog)

Symptoms

  • Presence of the next file in Windows folder:
    CYBERWOLF.EXE

  • Presence of the next file in Windows\System folder:
    KERNEL32.EXE
    API HOOKING-TUTORIAL.EXE
    Q30215HOTFIX.PIF
    FIXSQL.COM
    HOTMAIL HACKER.EXE
    LAST SUMMER.SCR
    MAGICAL-SCREENSAVER.SCR
    LOVE.SCR
    OUTWAR DEMO.EXE
    SOCCER DATABASE.EXE
    CHRISTINA AGUILERA-THE MOST BEAUTIFUL GIRL ON EARTH.SCR
    SADDAM-THE REAL PICS.SCR
    VIRTUAL JOKE.SCR
    SETUP.EXE
    MSNMSGS.EXE
    SARS-GUIDE.SCR
    FORMAT.COM
    MAPI32.DRV

  • Presence of the next registry keys:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CyberWolf="
    %WINDOWS%\CyberWolf.exe\"]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows
    Kernel="%WINDOWS%\System\Kernel32.exe"]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System="%WINDOWS%\System\Kernel32.exe"]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    \Hidden=2]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    HideFileExt=1]

    [HKEY_CLASSES_ROOT\exefile\shell\open\command="
    %WINDOWS%\System\kernel32.exe"%1"%*"] where %WINDOWS% points to Windows folder, eg: C:\Windows



  • Removal instructions:

    manual removal: first, copy and paste the next lines into a file called REMOVE.REG
    REGEDIT 4

    [-HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run\CyberWolf]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Kernel]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System]
    [HKEY_CLASSES_ROOT\exefile\shell\open\command="%1" %*]

    execute it, and then delete all aforementioned files.

    automatic removal: let BitDefender delete/disinfect files found infected.

    Analyzed By

    Patrick Vicol BitDefender Virus Researcher

    Technical Description:

    Win32.Cydog.C@mm is a mass-mailer that can spread through e-mail, kazaa and some other peer-to-peer programs and Mirc.
    It has its own SMTP engine and it will use the default smtp server found in registry as well as hardcoded values to send e-mails with itself as attachment.

    Once executed, the worm does the following:
    Creates a mutex called "W32.Hllw.Cydog.D@mm by CyberWolf" and also the events "Die by Technology" and "CyberWolf".
    Creates the aforementioned files and registry keys, with the "hidden" attribute set.
    It stays resident in memory, thus it will terminate when attempting to execute all processes named :
    "Norton AntiVirus"
    "LiveUpdate"
    "System Configuration Utility"
    "Process Viewer"
    "Registry-Editor"
    "Windows Task Manager"
    and will not allow execution of exe files whose name contain:
    NETSERVICES
    COMMAND
    SYSHELP
    RAVMOND
    WINRPC
    WINHELP
    WINGATE
    NPROTECT
    CLEANER
    WINDRIVER
    TASKMGR
    MSCONFIG
    REGEDIT
    ANTI-TROJAN
    BLACKICE
    ZONEALARM
    LOCKDOWNADVANCED
    NVC95
    FP-WIN
    IOMON98
    PCCWIN98
    F-PROT
    F-STOPW
    IAMSERV.EXE
    NAVWNT
    NAVRUNR
    NAVLU32
    NAVAPSVC
    VSMON.EXE
    SYMPROXYSVC
    RESCUE32
    NISSERV
    VSECOMR
    VETTRAY
    TDS2-NT
    CCAPP.EXE
    SCAN32
    PCFWALLICON
    NSCHED32
    SPHINX.EXE
    FRW.EXE
    MCAFEE
    ATRACK
    PVIEW.EXE
    LUCOMSERVER
    LUALL.EXE
    NMAIN.EXE
    NAVW32
    NAVAPW32
    VSSTAT
    VSHWIN32
    AVSYNMGR
    AVCONSOL
    WEBTRAP
    POP3TRAP
    PCCMAIN
    PCCIOMON
    ESAFE.EXE
    AVPM.EXE
    AVPCC.EXE
    AMON.EXE
    ALERTSVC
    ZAPRO.EXE
    AVP32
    LOCKDOWN2000
    AVP.EXE
    CFINET32
    CFINET
    ICMON
    SAFEWEB
    WEBSCANX
    IAMAP

    It harvests e-mails by searching for files that match "*.*ht*" and "*.*ml*" in the default wab file, Internet Explorer cache, also by following the registry keys:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Messenger Service\ListCache\MSN Messenger Service]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Messenger Service\ListCache\.NET Messenger Service]
    [HKEY_LOCAL_MACHINE\Software\Yahoo\Pager\profiles\%version%\IMVironments\Recent]
    [HKEY_LOCAL_MACHINE\Software\Yahoo\Pager\profiles]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\WAB4\Wab File Name]
    [HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\DefaultPrefs]

    It will attempt to place copies of itself under the next names:

    Virus Creation ToolKit-VX v7.1_create virii with this tool,Klez.H and Sircam has been created with version 6.exe
    WebAttack-DoS Tool.exe
    FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
    Yahoo Remote Password Cracker Deluxe 2003.exe
    AIM Remote Password Cracker.exe
    Hotmail Exploiter 2003.exe
    XNuker 2003.exe
    Ultimate HackProg.exe
    Msn Messenger Remote Password Cracker 2003.exe
    Netbios hacker.exe
    Chaos Ip Spoof 2003.exe

    in the download folder of Kazaa, and in the next folders:

    C:\Program Files\Morpheus\My Shared Folder
    C:\Program Files\Bearshare\Shared
    C:\Program Files\Edonkey2000\Incoming

    Mirc spreading: it drops script.ini file in Mirc folder and attemtps to send Magical-Screensaver.scr to all users in the current channel. It finds Mirc folder by following the registry key

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]

    It has a payload, triggered on Monday on Wednesdays, by dropping two text files, "CyberWolf.txt" and "Windows.l0g" in Windows folder, containing messages from the author of the worm and if the day of the month is 30 it attempts to open 999,999 instances of Internet Explorer.

    After each infection, the internet worm will send the next e-mail to some AV companies:
    Subject:
    Hi,i'm 100% sure i'm infected!


    Body:
    mmm...if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm. For every infection this worm does,you'll receive an email like this. It has never been my intention to cause your mailbox any harm,nor mailbomb it. Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number...
    and will attempt to open several internet pages in the default internet browser.
    The infected e-mails look like this (bodies of the e-mails are not shown):

    From: "Lovergirl@yahoo.com"
    Subject: "Fwd:Fwd:Fwd:Watch out for SARS!"
    Attachment: "SARS-Guide.scr"

    -------------------------------------------------
    From: "Webmaster@planet-source-code.com"
    Subject: "Api Hooking Tutorial..."
    Attachment: "Api Hooking-Tutorial.exe"

    -------------------------------------------------
    From: "Support@microsoft.com"
    Subject: "Windows Hotfix!"
    Attachment "Q30215HOTFIX.pif"

    -------------------------------------------------
    From: "SecurityResponse@symantec.com"
    Subject: "Warning from Symantec.com"
    Attachment: "FixSql.com"

    -------------------------------------------------
    From: "Admin@hackers.com"
    Subject: "u wanted to hack?"
    Attachment: "Hotmail Hacker.exe"

    -------------------------------------------------
    From: "Lovergirl963@hotmail.com"
    Subject: "Do you remember last summer?"
    Attachment: "Last Summer.scr"

    -------------------------------------------------
    From: "Lovergirl33@hotmail.com"
    Subject: "Fwd:Fwd:Fwd:Sit back and be surprised..."
    Attachment: "Magical-Screensaver.scr"

    -------------------------------------------------
    From: "Admin@screensavers.com"
    Subject: "The Magical screensaver"
    Attchment: "Magical-Screensaver.scr"

    -------------------------------------------------
    From: "Webmaster@Loveforlife.com"
    Subject: "Feel the reason why we fall in love..."
    Attachment: "Love.scr"

    -------------------------------------------------
    From: "Webmaster@Outwar.com"
    Subject: "Outwar is proud to present you:Outwar InterActive"
    Attachment: "OutWar Demo.exe"

    -------------------------------------------------
    From: "Soccerfan@yahoo.com"
    Subject: "Fwd:Fwd:Fwd:Soccer..."
    Attachment: "Soccer Database.exe"

    -------------------------------------------------
    From: "Webmaster@beautifulgirls"
    Subject: "Christina Aguilera:The most beautiful girl on earth"
    Attachment: "Christina Aguilera-The most beautiful girl on earth.scr"

    -------------------------------------------------
    From: "webmaster@screensavers.com"
    Subject: "Saddam alive and kickin'"
    Attachment: "Saddam-the real pics.scr"

    -------------------------------------------------
    From: "Admin@jokes.com"
    Subject: "The Virtual Joke..."
    Attachment: "Virtual Joke.scr"

    -------------------------------------------------
    From: "flipbabe@hotmail.com"
    Subject: "Fwd:Fwd:Whats really happening in bagdad"
    Attachment: "Saddam-the real pics.scr"

    -------------------------------------------------
    From: "mailinglist@Msn.com"
    Subject: "Get the new Msn 5.1!"
    Attachment: "MsnMsgs.exe"

    -------------------------------------------------
    From: "nice_girl21@hotmail.com"
    Subject: "Fwd:How to protect yourself against SARS"
    Attachemnt: "SARS-Guide.scr"