F-Secure Virus Descriptions : Cydog
Cydog is an email and P2P worm. There are three known variants of
this worm. F-Secure Anti-Virus detects them with the update
published in the beginning of March 2003 as I-Worm.Cydog.a,
I-Worm.Cydog.b and I-Worm.Cydog.c.
Technical Description
The worm is written in Visual Basic and is compressed with UPX
file compressor. The worm's packed file size is about 35
kilobytes.
When run, the worm displays a fake error message:
Fatal error in Windows Kernell
Please allow a 10 MINUTES acces for windows to send an error
report to microsoft in hope they solve this error
This operation could take a few moments but it will help
microsoft to make an Windows Update
If a dialog is prompted from MS Outlook then please click the
yes button to allow Windows to send the e-mail!
Then the worm installs itself to system. It copies itself to
Windows System directory with the following names:
taskmgr.exe
Rundll32.exe
Kernell32.exe
system32.exe
systems.exe
service.exe
regedit32.exe
Windows.scr
Ms-Dos.com
Windows Media Player Plugin.exe
The worm creates startup keys for some of its files in the
Registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CyberWolf" = "%windir%\CyberWolf.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Systems Service" = "%winsysdir%\service.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Kernell" = "%winsysdir%\kernel32.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"CyberWolf" = "%winsysdir%\CyberWolf.exe"
The worm also creates startup keys for a few files that might not
exist on an infected computer:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "%windir%\dllhost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Installer Service" = "%windir%\msiexec.exe"
Additionally the worm copies itself to Windows directory with the
following names:
explorer.exe
system.exe
CyberWolf.exe
The worm modifies the default startup string for EXE files:
[HKCR\exefile\shell\open\command]
This is done to run CyberWolf.exe file every time an executable
file is started on an infected system.
The worm appends the following text to SYSTEM.INI file:
[driver32]
CyberWolf=W32.CyberWolf@mm
Has=Infected you
The worm edits WIN.INI file and registers certain types of files
to run with itself:
MP3
MPEG
MPG
WMA
The worm terminates processes with the following names:
CCAPP.exe
zapro.exe
taskmgr.exe
NMAIN.exe
AVPCC.exe
AVP.exe
ANTI-TROJAN.exe
WEBSCAN.exe
NUPDATE.exe
NAVAPW32.exe
ESAFE.exe
BLACKICE.exe
CFIND.exe
KPFW32.exe
KPF.exe
LUALL.exe
AUPDATE.exe
QCONSOLE.exe
BOOTWARN.exe
CCSHTDWN.exe
AVPMON.exe
SCAN32.exe
FINDVIRU.exe
_AVP32.exe
Spreading in E-mails
The worm sends itself to all e-mail addresses it can find in
Outlook Address Book. The worm can send several different e-mail
messages:
Subject:
EA and EIDOS Presents...
Body:
Dear client
Some information about our long-awaited product:"CyberWolf"
CyberWolf is the newest product of Electronic Arts and Eidos Interactive!
Its a complete new technology which actualy speeds up you're
processor time needed to play game of EA and EIDOS
Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the
other games produced by these companies!
The technology behind these new product is something that clear
The speed and graphical abilities are increased by 35%,so
loading a new game wile go 35% faster!So more gameplay,less
waiting and looking at that dum screen!
But it will take sometime for EA and EIDOS to alert all peoples
who has EA and EIDOS games,but...
They decided to mail the CyberWolf-Patch to users who have games
from EA and EIDOS and to people who visited the website within
the past 18 months!
also they decided to mail this patch to workers in companies and
to other people who are using the internet regulary
If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then
just install the attachment,restart you
wait until you buy a EA or EIDOS game,and enjoy it then!the
choice is yours!
Before i forget:This patch seems to work on other games as
well,it speeds up those games by 15-30% depending on the game!
-----------------------------------------------------------------
This e-mail and any attachment thereto may contain information
which is confidential, privileged or otherwise protected from
disclosure and/or protected by EA and EIDOS property rights.
This product may NOT be soled or copied!It may only be used by
the intended recipient and this only for the purpose for which
it has been sent
If you are not the intended recipient,then please contact EA or
EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this e-mail
and attachement
We believe and warrant that this e-mail and any attachments, are
virus free,we take full responsibility about this attachment
CyberWolf
For more information please contact us at
EE-CyberWolf.patch@EA-EIDOS.com or suft to
www.EA.com/project\cyberwolf.htm and www.eidos.com\cyberwolf.asp
E-mail provided to you by Elena (Elena@EA-EIDOS.com)
Attachment:
CyberWolf-Patch.exe
Subject:
PacketStorm:WINDOWS Xp has several exploits
Body:
According to the redaction of PacketStorm
Windows Xp has several exploits which could not be removed because
if the do want to delete it then they should rewrite Kernell!
but this would mean rewriting everything Micrsoft had build up
over the last years
Bill Gates from microsoft reported that there is no exploit at
all!,it was just a joke from a hacker
attending to scar off windows XP users
However the word goes around that allready several users and
admins have been hacked by an mysterious hacker
nicknamed 'The CyberWolf'
if you want more information about this exploit and the exploit
itself,then open the included e-mail
do not forget to vote for PacktStorm when running the
attachment,Enjoy the rest of our services
This email is provided to you by PacketStorm,please enjoy our services
Attachment:
Windows Xp Exploit.exe
Subject:
A Virtual joke...the funniest around!
Body:
hi
have you heard about the CyberWolf-Joke?
i hope you didn't cause i just sended it to you,check it out!
its soooo funny you 'll laugh yourself a bunch when you see and hear the joke
haha those little bastards on your screen are soooo funny:D:D
just download and open the attached screensaver (The
CyberWolf-Joke.scr = this is actually the joke) and look at it
funny hu!!!
after you have run the joke click ctrl+shift+p to see who made it.
I hope you have fun with it
greeetttzzz
***********************************************************************
This e-mail is presented to you by Joking-Soft,a division of MicroSoft.
If you have any problems with this e-mail or attachment then
please contact us.
We take full responsability for this e-mail and attachements.
They are virusfree and are property of Joking-Soft
Please do not Sell or Distribute these atachments.
I thank you
Attachment:
The CyberWolf-Joke.scr
Subject:
A kiss from me to you...
Body:
Dear User
Someone has dropped a kiss in you're mailbox!
Check-Out the attached Kiss from the anonymous person,probably a
secret lover or a very good friend
After you have been kissed please visit www.internetkiss.com and
send this kiss to all the person who you adore or just like
You are Nr.315723625 who has received this Internet-Kiss.
This Internet-Kiss-Letter is started on 13/01/1997 and hopes to
continue until 13/01/2007.
Attachment:
My Kiss for you.scr
Spreading via file sharing networks
The worm tries to locate Kazaa file sharing client on a system.
If this client is installed, the worm enables sharing and creates
the subfolder in the shared folder with the name 'Windows
Security Haches'. The worm copies itself to that folder with the
following names:
Visual Basic 6.0 Msdn Plugin.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
W32.CyberWolf@mm Fix.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
WinZipped Visual C++ Tutorial.exe
XNuker 2003 2.93b.exe
Edonkey2000-Speed me up scotty.exe
Imesh SDK+Xbit Speed Up.exe
PopUp remover 9.25.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
EA Games Keygen for All versions(only EA).exe
Free mem-Games-SpeedUP.exe
Security-2003-Update.exe
Stripping MP3 dancer+crack.exe
Crackologic(all windows Apps).exe
After that the worm tries to locate iMesh file sharing client on
a system. If this client is installed, the worm enables sharing
and creates the subfolder in the shared folder with the name
'Windows Security Haches'. The worm copies itself to that folder
with the following names:
Visual Basic 6.0 Msdn Plugin.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
W32.CyberWolf@mm Fix.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
WinZipped Visual C++ Tutorial.exe
XNuker 2003 2.93b.exe
Edonkey2000-Speed me up scotty.exe
Imesh SDK+Xbit Speed Up.exe
PopUp remover 9.25.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
EA Games Keygen for All versions(only EA).exe
Free mem-Games-SpeedUP.exe
Security-2003-Update.exe
Stripping MP3 dancer+crack.exe
Crackologic(all windows Apps).exe
The worm copies itself to eDonkey file sharing client
incoming/shared folders with the following names:
Edonkey2000-Ad remover.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
EA Games Keygen for All versions(only EA).exe
The worm also copies itself to BearShare file sharing client
shared folders with the following names:
Hotmail Hacker 2003-Xss Exploit.exe
BearShare Pro 4.3.1 Beta Version.exe
XNuker 2003 2.93b.exe
Chaos Ip 2003-Xp compitable.exe
The worm copies itself to Grokster file sharing client shared
folders with the following names:
Netbios Nuker 2003.exe
Grokster ad-remover.exe
Stripping mp3 dancer+crack.exe
Trojan Utility 5.6.exe
Winrar 3.xx password cracker.exe
NetScan 1.6.exe
Xss security exploit-hotmail.exe
The worm copies itself to Morpheus file sharing client shared
folders with the following names:
Morpheus-Gold.exe
WebSeek-Mp3.exe
Chaos Ip.exe
Netbios Exploiter Xp.exe
The worm copies itself to LimeWire file sharing client shared
folders with the following names:
Credit card Generator
CrackOlogic(all windows apps).exe
Lunix-Download.exe
Payload
The worm can create a batch file with 'CyberWolf.bat' name and
run it. This file has instructions to delete all EXE and DLL
files. The worm uses this file to delete files in the following
folders:
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton AntiVirus\
The worm creates thousands of files containing its own copy with
random names and extensions in Windows System folder. For example
file name can be:
Dm3awasdm36571.mgp
Also the worm runs multiple copies of itself in memory and this
overloads and eventually crashes Windows.
The worm creates a 'message' from the its author as CyberWolf.txt
file in Windows folder. The link to this file is created on
Windows desktop with the 'Hi there, I'm CyberWolf ' name. Here's
a part of that message:
Hi there,I'm CyberWolf
As you probably know,i infected your pc
how does it feel being infected by CyberWolf without knowing this virus?
Angry that you AV didn't stopped me?
or just that i wrote this stupid virus who infected your pc?
Well i have good new for you because unless the payload is
triggered this virus won't hurt your pc!
But when the BigTime Payload is triggered then your really in problems!!!
It won't delete files from your pc but it just crashes 'em!
when you read this file,the PayLoad is triggered!!!
But only the little one that messes a bit with your pc but it
doesn't delete files or so
I recommend you to install an Av because i don't think you can
delete this virus by yourself,its a worm you know.
I'll give you some information about this virus---This part is
intended for all AV systems
As a part of the payload, the worm tries to make an infected
computer completely unusable by modifying the following settings:
CursorBlinkRate
SwapMouseButtons
DoubleClickSpeed
KeyboardDelay
KeyboardSpeed
MenuShowDelay
The worm also prohibits to close or run Explorer.exe (one of the
main Windows components), doesn't allow to log off, hides
advanced settings of Explorer and does many other actions.
The worm changes the default startup page for Internet Explorer
to 'Http://CyberWolf-has-bitten-you.com'. Also the worm changes computer
name to 'CyberWolf'.
[Analysis: Alexey Podrezov; F-Secure Corp.; March 19th, 2003]
|
