Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Cydog


Aliases:


Cydog
I-Worm.Cydog, W32.HLLW.Cydog@mm

Malware
Worm
W32

Summary

Cydog is an email and P2P worm. There are three known variants of this worm. F-Secure Anti-Virus detects them with the update published in the beginning of March 2003 as I-Worm.Cydog.a, I-Worm.Cydog.b and I-Worm.Cydog.c.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm is written in Visual Basic and is compressed with UPX file compressor. The worm's packed file size is about 35 kilobytes.

When run, the worm displays a fake error message:

Fatal error in Windows Kernell
Please allow a 10 MINUTES acces for windows to send an error
 report to microsoft in hope they solve this error
This operation could take a few moments but it will help
 microsoft to make an Windows Update
If a dialog is prompted from MS Outlook then please click the
 yes button to allow Windows to send the e-mail!

Then the worm installs itself to system. It copies itself to Windows System directory with the following names:

taskmgr.exe
 Rundll32.exe
 Kernell32.exe
 system32.exe
 systems.exe
 service.exe
 regedit32.exe
 Windows.scr
 Ms-Dos.com
 Windows Media Player Plugin.exe

The worm creates startup keys for some of its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "CyberWolf" = "%windir%\CyberWolf.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows Systems Service" = "%winsysdir%\service.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows Kernell" = "%winsysdir%\kernel32.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "CyberWolf" = "%winsysdir%\CyberWolf.exe"

The worm also creates startup keys for a few files that might not exist on an infected computer:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "dllhost" = "%windir%\dllhost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows Installer Service" = "%windir%\msiexec.exe"

Additionally the worm copies itself to Windows directory with the following names:

explorer.exe
 system.exe
 CyberWolf.exe

The worm modifies the default startup string for EXE files:

[HKCR\exefile\shell\open\command]

This is done to run CyberWolf.exe file every time an executable file is started on an infected system.

The worm appends the following text to SYSTEM.INI file:

[driver32]
 CyberWolf=W32.CyberWolf@mm
 Has=Infected you

The worm edits WIN.INI file and registers certain types of files to run with itself:

MP3
 MPEG
 MPG
 WMA

The worm terminates processes with the following names:

CCAPP.exe
 zapro.exe
 taskmgr.exe
 NMAIN.exe
 AVPCC.exe
 AVP.exe
 ANTI-TROJAN.exe
 WEBSCAN.exe
 NUPDATE.exe
 NAVAPW32.exe
 ESAFE.exe
 BLACKICE.exe
 CFIND.exe
 KPFW32.exe
 KPF.exe
 LUALL.exe
 AUPDATE.exe
 QCONSOLE.exe
 BOOTWARN.exe
 CCSHTDWN.exe
 AVPMON.exe
 SCAN32.exe
 FINDVIRU.exe
 _AVP32.exe


Spreading in E-mails

The worm sends itself to all e-mail addresses it can find in Outlook Address Book. The worm can send several different e-mail messages:

Subject:

EA and EIDOS Presents...

Body:

Dear client
 Some information about our long-awaited product:"CyberWolf"
 CyberWolf is the newest product of Electronic Arts and Eidos Interactive!
 Its a complete new technology which actualy speeds up you're
 processor time needed to play game of EA and EIDOS
 Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the
 other games produced by these companies!
 The technology behind these new product is something that clear
 The speed and graphical abilities are increased by 35%,so
 loading a new game wile go 35% faster!So more gameplay,less
 waiting and looking at that dum screen!
But it will take sometime for EA and EIDOS to alert all peoples
 who has EA and EIDOS games,but...
 They decided to mail the CyberWolf-Patch to users who have games
 from EA and EIDOS and to people who visited the website within
 the past 18 months!
 also they decided to mail this patch to workers in companies and
 to other people who are using the internet regulary
 If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then
 just install the attachment,restart you
 wait until you buy a EA or EIDOS game,and enjoy it then!the
 choice is yours!
Before i forget:This patch seems to work on other games as
 well,it speeds up those games by 15-30% depending on the game!
-----------------------------------------------------------------
This e-mail and any attachment thereto may contain information
 which is confidential, privileged or otherwise protected from
 disclosure and/or protected by EA and EIDOS property rights.
 This product may NOT be soled or copied!It may only be used by
 the intended recipient and this only for the purpose for which
 it has been sent
 If you are not the intended recipient,then please contact EA or
 EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this e-mail
 and attachement
 We believe and warrant that this e-mail and any attachments, are
 virus free,we take full responsibility about this attachment
CyberWolf
For more information please contact us at
 EE-CyberWolf.patch@EA-EIDOS.com or suft to
 www.EA.com/project\cyberwolf.htm and www.eidos.com\cyberwolf.asp
 E-mail provided to you by Elena (Elena@EA-EIDOS.com)

Attachment:

CyberWolf-Patch.exe

Subject:

PacketStorm:WINDOWS Xp has several exploits

Body:

According to the redaction of PacketStorm
 Windows Xp has several exploits which could not be removed because
 if the do want to delete it then they should rewrite Kernell!
 but this would mean rewriting everything Micrsoft had build up
 over the last years
 Bill Gates from microsoft reported that there is no exploit at
 all!,it was just a joke from a hacker
 attending to scar off windows XP users
 However the word goes around that allready several users and
 admins have been hacked by an mysterious hacker
 nicknamed 'The CyberWolf'
 if you want more information about this exploit and the exploit
 itself,then open the included e-mail
 do not forget to vote for PacktStorm when running the
 attachment,Enjoy the rest of our services
This email is provided to you by PacketStorm,please enjoy our services

Attachment:

Windows Xp Exploit.exe

Subject:

A Virtual joke...the funniest around!

Body:

hi
 have you heard about the CyberWolf-Joke?
 i hope you didn't cause i just sended it to you,check it out!
 its soooo funny you 'll laugh yourself a bunch when you see and hear the joke
 haha those little bastards on your screen are soooo funny:D:D
 just download and open the attached screensaver (The
 CyberWolf-Joke.scr = this is actually the joke) and look at it
 funny hu!!!
 after you have run the joke click ctrl+shift+p to see who made it.
 I hope you have fun with it
 greeetttzzz
***********************************************************************
This e-mail is presented to you by Joking-Soft,a division of MicroSoft.
 If you have any problems with this e-mail or attachment then
 please contact us.
 We take full responsability for this e-mail and attachements.
 They are virusfree and are property of Joking-Soft
 Please do not Sell or Distribute these atachments.
 I thank you

Attachment:

The CyberWolf-Joke.scr

Subject:

A kiss from me to you...

Body:

Dear User
 Someone has dropped a kiss in you're mailbox!
 Check-Out the attached Kiss from the anonymous person,probably a
 secret lover or a very good friend
 After you have been kissed please visit www.internetkiss.com and
 send this kiss to all the person who you adore or just like
 You are Nr.315723625 who has received this Internet-Kiss.
 This Internet-Kiss-Letter is started on 13/01/1997 and hopes to
 continue until 13/01/2007.

Attachment:

My Kiss for you.scr


Spreading via file sharing networks

The worm tries to locate Kazaa file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe
 Hotmail Hacker 2003-Xss Exploit.exe
 Netbios Nuker 2003.exe
 WinRar 3.xx Password Cracker.exe
 Microsoft KeyGenerator-Allmost all microsoft stuff.exe
 W32.CyberWolf@mm Fix.exe
 Kazaa SDK + Xbit speedUp for 2.xx.exe
 WinZipped Visual C++ Tutorial.exe
 XNuker 2003 2.93b.exe
 Edonkey2000-Speed me up scotty.exe
 Imesh SDK+Xbit Speed Up.exe
 PopUp remover 9.25.exe
 Credit Card Numbers generator(incl Visa,MasterCard,...).exe
 EA Games Keygen for All versions(only EA).exe
 Free mem-Games-SpeedUP.exe
 Security-2003-Update.exe
 Stripping MP3 dancer+crack.exe
 Crackologic(all windows Apps).exe

After that the worm tries to locate iMesh file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe
 Hotmail Hacker 2003-Xss Exploit.exe
 Netbios Nuker 2003.exe
 WinRar 3.xx Password Cracker.exe
 Microsoft KeyGenerator-Allmost all microsoft stuff.exe
 W32.CyberWolf@mm Fix.exe
 Kazaa SDK + Xbit speedUp for 2.xx.exe
 WinZipped Visual C++ Tutorial.exe
 XNuker 2003 2.93b.exe
 Edonkey2000-Speed me up scotty.exe
 Imesh SDK+Xbit Speed Up.exe
 PopUp remover 9.25.exe
 Credit Card Numbers generator(incl Visa,MasterCard,...).exe
 EA Games Keygen for All versions(only EA).exe
 Free mem-Games-SpeedUP.exe
 Security-2003-Update.exe
 Stripping MP3 dancer+crack.exe
 Crackologic(all windows Apps).exe

The worm copies itself to eDonkey file sharing client incoming/shared folders with the following names:

Edonkey2000-Ad remover.exe
 Hotmail Hacker 2003-Xss Exploit.exe
 Netbios Nuker 2003.exe
 WinRar 3.xx Password Cracker.exe
 EA Games Keygen for All versions(only EA).exe

The worm also copies itself to BearShare file sharing client shared folders with the following names:

Hotmail Hacker 2003-Xss Exploit.exe
 BearShare Pro 4.3.1 Beta Version.exe
 XNuker 2003 2.93b.exe
 Chaos Ip 2003-Xp compitable.exe

The worm copies itself to Grokster file sharing client shared folders with the following names:

Netbios Nuker 2003.exe
 Grokster ad-remover.exe
 Stripping mp3 dancer+crack.exe
 Trojan Utility 5.6.exe
 Winrar 3.xx password cracker.exe
 NetScan 1.6.exe
 Xss security exploit-hotmail.exe

The worm copies itself to Morpheus file sharing client shared folders with the following names:

Morpheus-Gold.exe
 WebSeek-Mp3.exe
 Chaos Ip.exe
 Netbios Exploiter Xp.exe

The worm copies itself to LimeWire file sharing client shared folders with the following names:

Credit card Generator
 CrackOlogic(all windows apps).exe
 Lunix-Download.exe


Payload

The worm can create a batch file with 'CyberWolf.bat' name and run it. This file has instructions to delete all EXE and DLL files. The worm uses this file to delete files in the following folders:

C:\Program Files\Common Files\Symantec Shared
 C:\Program Files\Norton AntiVirus\

The worm creates thousands of files containing its own copy with random names and extensions in Windows System folder. For example file name can be:

Dm3awasdm36571.mgp

Also the worm runs multiple copies of itself in memory and this overloads and eventually crashes Windows.

The worm creates a 'message' from the its author as CyberWolf.txt file in Windows folder. The link to this file is created on Windows desktop with the 'Hi there, I'm CyberWolf ' name. Here's a part of that message:

Hi there,I'm CyberWolf
 As you probably know,i infected your pc
 how does it feel being infected by CyberWolf without knowing this virus?
 Angry that you AV didn't stopped me?
 or just that i wrote this stupid virus who infected your pc?
 Well i have good new for you because unless the payload is
 triggered this virus won't hurt your pc!
  But when the BigTime Payload is triggered then your really in problems!!!
 It won't delete files from your pc but it just crashes 'em!
 when you read this file,the PayLoad is triggered!!!
  But only the little one that messes a bit with your pc but it
 doesn't delete files or so
 I recommend you to install an Av because i don't think you can
 delete this virus by yourself,its a worm you know.
 I'll give you some information about this virus---This part is
 intended for all AV systems

As a part of the payload, the worm tries to make an infected computer completely unusable by modifying the following settings:

cursorBlinkRate SwapMouseButtons DoubleClickSpeed KeyboardDelay KeyboardSpeed MenuShowDelay

The worm also prohibits to close or run Explorer.exe (one of the main Windows components), doesn't allow to log off, hides advanced settings of Explorer and does many other actions.

The worm changes the default startup page for Internet Explorer to 'Http://CyberWolf-has-bitten-you.com'. Also the worm changes computer name to 'CyberWolf'.





Technical Details: Alexey Podrezov; F-Secure Corp.; March 19th, 2003



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files