F-Secure Virus Descriptions : Kickin
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
| NAME: | Kickin |
| ALIAS: | I-Worm.Cydog.c, W32/Cydog.D, W32/Kickin@MM, Cydog.D, W32/Kickin.A@mm |
F-Secure received the first submission of Kickin worm on 7th of
May 2003. However, the worm appeared in the wild a few days
earlier - we received its notification messages before we got the
actual sample.
This worm is 109056 bytes long and it's packed with UPX file
compressor. Kickin is very similar to Cydog worm variants but it
is rewritten in Visual C language. Kickin can spread via e-mail,
IRC and peer-to-peer (P2P) networks Kazaa, Edonkey, Bearshare,
Morpheus.
Infecting a system
When run, the worm copites itself to Windows directory as
CYBERWOLF.EXE with hidden and system attributes. Additionally the
worm copies itself to Windows System directory with the following
names:
mapi32.drv
format.com
SARS-Guide.scr
MsnMsgs.exe
Setup.exe
Virtual Joke.scr
Saddam-the real pics.scr
Christina Aguilera-The most beautiful girl on earth.scr
Soccer Database.exe
OutWar Demo.exe
Love.scr
Last Summer.scr
Hotmail Hacker.exe
FixSql.com
Q30215HOTFIX.pif
Api Hooking-Tutorial.exe
Kernel32.exe
Magical-Screensaver.scr
The worm sets hidden and system attribute for Kernel32.exe file.
It modifies the default EXE file startup key so that Kernel32.exe
file is always started when a user runs an EXE file:
[HKCR\exefile\shell\open\command]
@ = "%winsysdir%\Kernel32.exe"%1"%*""
The worm also creates two startup keys for its files in System
Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"CyberWolf" = "%windir%\CyberWolf.exe"
"Windows Kernel" = "%winsysdir%\Kernel32.exe"
where %windir% represents Windows directory and %winsysdir%
represents Windows System directory. This is done to make those
two worm files start during every Windows session.
The worm modifies several Registry keys. These modifications make
Windows hide file extensions and avoid showing files with hidden
and system attributes.
Spreading in e-mail
The worm primarily spreads itself in infected e-mail messages. It
collects e-mail addresses from Yahoo Messenger, MSN and .NET
Messenger, ICQ, Windows Address Book and from HTML and EML files
it can find on a hard disk.
Kickin worm has a list of SMTP servers that it tries to connect
if a user's SMTP server is not available. It can send itself in
messages with different subjects and bodies. Worm's attachment
names are also different. Infected messages sent by the worm look
as follows:
From:
Lovergirl@yahoo.com
Subject:
Fwd:Fwd:Fwd:Watch out for SARS!
Body:
---ORIGINAL MESSAGE BODY---
FROM:<sk8_or_die66@yahoo.com>
DATE:Tuesday, May 06, 2003 11:37:31
TO:<sk8er_4life13@yahoo.com>
SUBJECT:Fwd:Watch out for SARS!
FROM:<sk8er_4life13@yahoo.com.com>
DATE:Tuesday, May 06, 2003 11:37:31
TO:<mindy_xx@yahoo.com>
SUBJECT:Fwd:FwdWatch out for SARS!
FROM:<mindy_xx@yahoo.com.com>
DATE:Tuesday, May 06, 2003 11:37:31
TO:<Lovergirl@yahoo.com>
SUBJECT:Fwd:Fwd:Fwd:Watch out for SARS!
SARS aka Severe Acute Respiration Syndrome is infecting more and
more people every day Soon it will get to USA,Europe,Asia,Africa
and Australia if we don't do something
Thats why we started this chain letter with a single attachment
Our mission is to make all people aware of the disease and to
give them a handy guide on how to protect themselves The
attachment(SARS-Guide) is a guide (like the name says;)) with
instructions for avoiding infection and what to do when infected
Ofcourse we cannot send this Guide to all people,thats why the
WHO(World Health Organisation) has made a deal with WISI(World
Internet Statistic Institute):For mail FORWARD of this email
WITH the Guide,0.50US$ will be transfered to the WHO bank
account They will use this money to make a vaccin for the SARS
Virus,and thus help mankind
If you want to participate to this project,and thus help man
kind,you should FORWARD this email to at least 1 person with
this Guide Attached Thas all you'll have to do
Do,'t forget!Every FORWARD is 0.50US$ more for the vaccin,a
vaccin is very expensive,so forward it if you want to
participate in helping mankind!
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (+41 22) 791 26 84
Email: thompsond@who.int
Attachment:
SARS-Guide.scr
Please note that there is a real Mr. Dick Thompson working for WHO. Obviously
he has nothing to do with this virus.
From:
Webmaster@planet-source-code.com
Subject:
Api Hooking Tutorial...
Body:
Did you wanted to learn how to api hook?
Here your chance!This tutorial explains all the basics AND moderate Api Hookings
Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer
After reading this tut you can even start Windows RootKit
Programming but ofcourse thats up to you to decide...
The Tutorial attached in this e-mail is for privat use only and
may never be distributed under any curcumstances
Provided to you by: Webmaster<Webmaster@planet-source-code.com>
and www.planet-source-code.com
Attachment:
Api Hooking-Tutorial.exe
From:
Support@microsoft.com
Subject:
Windows Hotfix!
Body:
Attached is the HotFix for several bugs in Windows Operating Systems.
The following Windows versions are vulnerable:
Windows Xp home and Pro edition (with/without SP1)
Windows ME,2000 and NT Home and Pro Edition(With/without SP)
Windows 98 Home,Pro and Special Edition(With/without SP)
The following Windows Operating Systems are not vulnerable:
Windows 95(All editions With or Without Sp
Microsoft IIS(all versions)
If your Operating System is one of the vulnerable systems listed
above then Microsoft Corp. recommends you to install this HotFix
If you for some reason didn't install this hotfix,then your pc
will be vulnerable to this bugs allowing an attacker to Remote
Control your pc,or beeing infected with the infamous SqlSlammer.
Because this is an critical bug,Microsoft Corp. has send this
HotFix to all of his customors who use one of the OS's.
For more information about this bug or about Microsoft
Corp.,please visit www.microsoft.com
Presented to you by:Microsoft HelpDesk<Support@microsoftcom>
Attachment:
Q30215HOTFIX.pif
From:
SecurityResponse@symantec.com
Subject:
Warning from Symantec.com
Body:
5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD
A new very dangerous internet worm has been found in the
wild.This worms goes under the name W32.SqlSlammer.C@mm and has
the possibility to spread by several ports on your
pc(139,25,445,446,10252).
It will infect you without your knowlegde because it uses the
Sql Buffer Overflow exploit.Because of this its very hard for Av
companies and Microsoft to contain this thread.Thats why we
decided to protect our customors by sending then SqlFix and thus
protecting them from infection.
After installation the fix will determine if the SqlSlammer.C
has infected your pc and clean it.If it didn't infect it then it
will make sure it will never infect you by closing the bug in
your OS.
Simply run the attached fix and wait for the dialog to
prompt,select the <Full Clean> feature and wait till its
finished.
Sincerely,
Symantec Security Response Team
Symantec Corporation
Attachment:
FixSql.com
From:
Admin@hackers.com
Subject:
u wanted to hack?
Body:
hi there,so you wanted to hack your friends hotmail account
huh,well use this xss-exploit tool to find his password within 3 minutes!!
Simply open it and enter your victims email ID and select <hack>
This will also work on Yahoo and Icq accounts
Admin@hackers.com
From:
Lovergirl963@hotmail.com
Subject:
Do you remember last summer?
Body:
hi
Do you remember we met last summer?
We became very good friends at the end huh!
Well i looked a bit over internet and i encountered your
Email,so i thought why not send him the pics from last summer
I've attached them in this email,there in ScreenSaver format,pls
reply to me if you liked them
See you soon again xxx
Love ya...
Attachment:
Last Summer.scr
From:
Lovergirl33@hotmail.com
Subject:
Fwd:Fwd:Fwd:Sit back and be surprised...
Body:
ORIGINAL MESSAGE BODY:
FROM:<Admin@screensavers.com>
DATE:Tuesday, May 06, 2003 13:37:31
TO:<Lovergirl33@hotmail.com>
SUBJECT:Fwd:Fwd:Sit back and be surprised...
Magic in CyberSpace,its almost unbelievable!
1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3
numbers:Love,Friendship and Sex.Write these values next to the
number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like
and write them below on that paper.
5)Now open the Magical screensaver i attached,wrap the paper in
your left hand and close your eyes until you here the beep.
6)Open your eyes again and look at the screen.What the
screensaver displayed will be personal,so you'll have to be
alone in your room.Everything the screensaver displays will come
tru within the next 2 months,Only the Sex part will come tru
when your above 16.
You don't have to forward this email but then your friends won't
get the chance to make their dreams come tru,So if you want your
friends to be happe,simply mail them the magic...
Be aware!No cheating allowed,Once you have written those names
and values on your paper you cannot chance them!!!
Attachment:
Magical-Screensaver.scr
From:
Admin@screensavers.com
Subject:
The Magical screensaver
Body:
Check out this magic screensaver.Its pure magic!!!
Follow these steps for the magic:
1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3
numbers:Love,Friendship and Sex.Write these values next to the
number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like
and write them below on that paper.
5)Now open the Magical screensaver i attached,wrap the paper in
your left hand and close your eyes until you here the beep.
6)Open your eyes again and look at the screen.What the
screensaver displayed will be personal,so you'll have to be
alone in your room.Everything the screensaver displays will come
tru within the next 2 months,Only the Sex part will come tru
when your above 16.
Presented by Admin@screensavers.com
Attachment:
Magical-Screensaver.scr
From:
Webmaster@Loveforlife.com
Subject:
Feel the reason why we fall in love...
Body:
It takes One minute to find someone special
One hour to like someone
1 Day to fall in love with someone
But it takes a lifetime to forget someone.
If you have ever been in love then you'll know about what i am talking.
If you wanne have that same old feeling then open the
lovescreensaver and realise why we fall in love all the time...
Attachment:
Love.scr
From:
Webmaster@Outwar.com
Subject:
Outwar is proud to present you:Outwar InterActive
Body:
After beeing succesfull for quit some years now and having more
then 20000 clients,it was time for something new.
Thats why we decided to take our OutWar into the game market and
developed OurWar InterActive
This game will be in shops late summer and will cost about 36$.
It will be avaible across the Usa,Europe,Australia and Asia.
Our release for Africa is scheduled early 2004.
Because this will mean a lot of waiting,we developed the first
Official OutWar Int. Demo!
The attached file contains Installation Packet for the downloader.
Install it and download the game from our Private FTP
servers,and then enjoy it on your home pc!.
Sincerely yours
Webmaster@outwar.com
Attachment:
OutWar Demo.exe
From:
Soccerfan@yahoo.com
Subject:
Fwd:Fwd:Fwd:Soccer...
Body:
Ever wanted to see the best goals,the most beautiful freekicks
etc.with just 2 clicks with your mouse?
Ever wanted to acces the largest Soccer Database on the internet
where all goals from more then 25 international competitions
from the past 15 years are stored?
Here is your chance,this program has instant acces it,so you can
enjoy how Diego Maradonna scored <with the hand of god>,or how
Johan Cruyff curled that ball into the goal...Enjoy!
The database contains goals from countries
like:Spain,Italy,France,Germany,England,Belgium,The
Netherlands,Sweden,Finland and much more
Also forward this to all football fans you know so they can
enjoy this to.
Attachment:
Soccer Database.exe
From:
Webmaster@beautifulgirls
Subject:
Christina Aguilera:The most beautiful girl on earth
Body:
Don't you think Christina Aguilera is the most beautiful girl on earth?
She is soo nice!!!
That clip <Dirrty> was amazing...
If you wanne see some hidden pics of that videoclip then check
out this screensaver
Its nice...Very nice,if you get what i mean ;)
Webmaster@beautifulgirls.com
Attachment:
Christina Aguilera-The most beautiful girl on earth.scr
From:
webmaster@screensavers.com
Subject:
Saddam alive and kickin'
Body:
The whole world wants to know it,is saddam a live,or death?
Well somedays a go the britisch took secret spy cam pics,and
luckely someone has uploaded this pics to the internet,and now
their avaible!
You won't believe what you see!its amazing!!!The spy cam was
hidden inside a tower in Bagdad and it took pics from saddam and
his sons,they our 250m beneath the ground!
Check out the pics i attached,you won't believe what you see!
Attachment:
Saddam-the real pics.scr
From:
Admin@jokes.com
Subject:
The Virtual Joke...
Body:
Have you seen it yet?
You should because its soooooo funny,i wish the real jokes where that funny :)
Check out the attached screensaver and enjoy the pleasure of laughing...
Attachment:
Virtual Joke.scr
From:
flipbabe@hotmail.com
Subject:
Fwd:Fwd:Whats really happening in bagdad
Body:
ORIGINAL MESSAGE BODY:
FROM:<webmaster@screensavers.com>
DATE:Tuesday, May 06, 2003 13:37:31
TO:<flipbabe@hotmail.com>
SUBJECT:Fwd:Whats really happening in bagdad
Someone of the britisch army has made some Secret Spy Cam
pics,and uploaded it to the internet!!
The pics show you exactly whats reall happened in Irak!Its
really not what you've seen on tv!
Check out the attached file and forward this to as much friends
so that they can all see what has really happened in Irak.
FlipBabe xxx
Attachment:
Saddam-the real pics.scr
From:
mailinglist@Msn.com
Subject:
Get the new Msn 5.1!
Body:
Tired of the little nicknames in Msn,tired of all the limits?
Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever!
It allows nicknames up to 500 characters and has many new
functions who will make your cyberlife easyier and better!
Msn Messenger 5.1 is avaible for following Operating Systems:
Windows Xp
Windows ME and 2000
Windows 98 and NT
Is not avaible for:Windows 95
This version of msn messenger supports also Api's in Windows Xp
so you can make your own addons.
To download Msn Messenger 5.1 install the attached Root Setup.
WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE
DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO
INSTALL THE ROOT SETUP.
If you don't want to install it then you'll have to wait for
another 5 weeks because of the juridical restricions.
Please do not forward this email.Every user who has Msn
Messenger installed will receive this email sooner or later,so
its up to them to decide to use the new version of not
Sincerely yours:
The Msn Messenger Team
The Hotmail Team
Attachment:
MsnMsgs.exe
From:
nice_girl21@hotmail.com
Subject:
Fwd:How to protect yourself against SARS
Body:
ORIGINAL MESSAGE BODY:
FROM:<mailinglist@healthcare.com>
DATE:Tuesday, May 06, 2003 11:37:31
TO:<nice_girl21@hotmail.com>
SUBJECT:Fwd:How to protect yourself against SARS
SARS aka. Severe Acute Respiratory Syndrome is a worldwide health threat.
It was first discovered in China
But now,it has become a very big thread to all people in this world
If no vaccin is found,soon more then 500.000 people will be infected with it
This vaccin is not yet made,so within this time the ONLY
protection humans have is prevention of infection
Thats why we of HealthCare launched a project in which we will
send newsletters with information about SARS and with prevention
rules.
Symptoms:High Fever(>38-C) AND one or more respiratory symptoms
including cough, shortness of breath, difficulty breathing Also
be aware of the following:close contact with a person who has
been diagnosed with SARS AND a recent history of travel to areas
reporting cases of SARS In addition to fever and respiratory
symptoms, SARS may be associated with other symptoms including:
headache, muscular stiffness, loss of appetite, malaise,
confusion, rash, and diarrhea.
Until more is known about the cause of these outbreaks, WHO
(World Health Organization) recommends that all people read the
attached instructions of howto prevent beeing infected with SARS
and what to do when infection has occurred
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (+41 22) 791 26 84
Email: thompsond@who.int
Attachment:
SARS-Guide.scr
Spreading in P2P (peer-to-peer) networks
The worm has the ability to spread in peer-to-peer networks. It
tries to locate shared folders of Kazaa, Edonkey, Bearshare and
Morpheus file sharing clients and copies itself there with the
following names:
Virus Creation ToolKit-VX v7.1_create virii with this
tool,Klez.H and Sircam has been created with version 6.exe
WebAttack-DoS Tool.exe
FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
Yahoo Remote Password Cracker Deluxe 2003.exe
AIM Remote Password Cracker.exe
Hotmail Exploiter 2003.exe
XNuker 2003.exe
Ultimate HackProg.exe
Msn Messenger Remote Password Cracker 2003.exe
Netbios hacker.exe
Chaos Ip Spoof 2003.exe
People who download and run these files become infected with the
worm.
Spreading in IRC networks
The worm spreads via IRC by replacing the SCRIPT.INI file of IRC
client and creates its own script that sends the following
messages to users joining a channel where an infected user is
staying:
<user_nick> hi,im CyberWolf,15 and from austria and u?
<user_nick> check out this crazy screensaver!its magic!!!
Then the script sends the worm's file with the
'Magical-Screensaver.scr' name to a user with the nickname
<user_nick>. When a user runs that file, he/she becomes infected
with the worm.
Payload
The worm sends notification messages to anti-virus companies.
Such messages look like that:
From:
twistmaster13@hotmail.com
Subject:
Hi,i'm 100% sure i'm infected!
Body:
mmm...if you received this mail,then someone has been infected
with W32.CyberWolf.B@mm => a new massmailer worm.
For every infection this worm does,you'll receive an email like this.
It has never been my intention to cause your mailbox any harm,nor mailbomb it.
Its just so that you can have a quite accurate view on how many
infections..because most of the times,Av companies are miles
away from the real number...
F-Secure has been receiving quite a large amount of such e-mails,
sent from infected machines in China, Belgium and the Netherlands.
Depending on system time the worm can create text files in
Windows directory: CyberWolf.txt or Windows.lOg. These files
contain text messages from the author of the worm.
Depending on system time the worm can open Internet browser and
go to the following sites:
www.brain-hack.com
www.indiansnakes.cjb.net
www.christinaaguilera
www.catholicninjas.org/superfuntime/
The worm kills the following processes belonging to anti-virus
and security software:
NETSERVICES
COMMAND
SYSHELP
RAVMOND
WINRPC
WINHELP
WINGATE
NPROTECT
CLEANER
WINDRIVER
TASKMGR
MSCONFIG
REGEDIT
ANTI-TROJAN
BLACKICE
ZONEALARM
LOCKDOWNADVANCED
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT
F-STOPW
IAMSERV.EXE
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
VSMON.EXE
SYMPROXYSVC
RESCUE32
NISSERV
VSECOMR
VETTRAY
TDS2-NT
CCAPP.EXE
SCAN32
PCFWALLICON
NSCHED32
SPHINX.EXE
FRW.EXE
MCAFEE
ATRACK
PVIEW.EXE
LUCOMSERVER
LUALL.EXE
NMAIN.EXE
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON
ESAFE.EXE
AVPM.EXE
AVPCC.EXE
AMON.EXE
ALERTSVC
ZAPRO.EXE
AVP32
LOCKDOWN2000
AVP.EXE
CFINET32
CFINET
ICMON
SAFEWEB
WEBSCANX
IAMAPP
The worm also does's allow the programs with the following names
to run:
Norton AntiVirus
LiveUpdate
System Configuration Utility
Process Viewer
Registry-Editor
Windows Task Manager
Detection
F-Secure Anti-Virus detects Kickin worm with the updates
published on May 7th, 2003:
Version=2003-05-07_03
[Description: Alexey Podrezov, Katrin Tocheva, Mikko Hypponen; F-Secure Corp.; May 7th, 2003]
|
![](/images/pixel.gif"){kind=tracking}
