Cydog

The worm is written in Visual Basic and is compressed with UPX file compressor. The worm's packed file size is about 35 kilobytes.

When run, the worm displays a fake error message:

Fatal error in Windows Kernell Please allow a 10 MINUTES acces for windows to send an error report to microsoft in hope they solve this error This operation could take a few moments but it will help microsoft to make an Windows Update If a dialog is prompted from MS Outlook then please click the yes button to allow Windows to send the email!

Then the worm installs itself to system. It copies itself to Windows System directory with the following names:

taskmgr.exe Rundll32.exe Kernell32.exe system32.exe systems.exe service.exe regedit32.exe Windows.scr Ms-Dos.com Windows Media Player Plugin.exe

The worm creates startup keys for some of its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "CyberWolf" = "%windir%\CyberWolf.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Systems Service" = "%winsysdir%\service.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Kernell" = "%winsysdir%\kernel32.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "CyberWolf" = "%winsysdir%\CyberWolf.exe"

The worm also creates startup keys for a few files that might not exist on an infected computer:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "dllhost" = "%windir%\dllhost.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Installer Service" = "%windir%\msiexec.exe"

Additionally the worm copies itself to Windows directory with the following names:

explorer.exe system.exe CyberWolf.exe

The worm modifies the default startup string for EXE files:

[HKCR\exefile\shell\open\command]

This is done to run CyberWolf.exe file every time an executable file is started on an infected system.

The worm appends the following text to SYSTEM.INI file:

[driver32] CyberWolf=W32.CyberWolf@mm Has=Infected you

The worm edits WIN.INI file and registers certain types of files to run with itself:

MP3 MPEG MPG WMA

The worm terminates processes with the following names:

CCAPP.exe zapro.exe taskmgr.exe NMAIN.exe AVPCC.exe AVP.exe ANTI-TROJAN.exe WEBSCAN.exe NUPDATE.exe NAVAPW32.exe ESAFE.exe BLACKICE.exe CFIND.exe KPFW32.exe KPF.exe LUALL.exe AUPDATE.exe QCONSOLE.exe BOOTWARN.exe CCSHTDWN.exe AVPMON.exe SCAN32.exe FINDVIRU.exe _AVP32.exe

Spreading in emails

The worm sends itself to all email addresses it can find in Outlook Address Book. The worm can send several different email messages:

Subject:

EA and EIDOS Presents...

Body:

Dear client Some information about our long-awaited product:"CyberWolf" CyberWolf is the newest product of Electronic Arts and Eidos Interactive! Its a complete new technology which actualy speeds up you're processor time needed to play game of EA and EIDOS Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the other games produced by these companies! The technology behind these new product is something that clear The speed and graphical abilities are increased by 35%,so loading a new game wile go 35% faster!So more gameplay,less waiting and looking at that dum screen! But it will take sometime for EA and EIDOS to alert all peoples who has EA and EIDOS games,but... They decided to mail the CyberWolf-Patch to users who have games from EA and EIDOS and to people who visited the website within the past 18 months! also they decided to mail this patch to workers in companies and to other people who are using the internet regulary If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then just install the attachment,restart you wait until you buy a EA or EIDOS game,and enjoy it then!the choice is yours! Before i forget:This patch seems to work on other games as well,it speeds up those games by 15-30% depending on the game! ----------------------------------------------------------------- This email and any attachment thereto may contain information which is confidential, privileged or otherwise protected from disclosure and/or protected by EA and EIDOS property rights. This product may NOT be soled or copied!It may only be used by the intended recipient and this only for the purpose for which it has been sent If you are not the intended recipient,then please contact EA or EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this email and attachement We believe and warrant that this email and any attachments, are virus free,we take full responsibility about this attachment CyberWolf For more information please contact us at EE-CyberWolf.patch@EA-EIDOS.com or suft to www.EA.com/project\cyberwolf.htm and www.eidos.com\cyberwolf.asp email provided to you by Elena (Elena@EA-EIDOS.com)

Attachment:

CyberWolf-Patch.exe

Subject:

PacketStorm:WINDOWS Xp has several exploits

Body:

According to the redaction of PacketStorm Windows Xp has several exploits which could not be removed because if the do want to delete it then they should rewrite Kernell! but this would mean rewriting everything Micrsoft had build up over the last years Bill Gates from microsoft reported that there is no exploit at all!,it was just a joke from a hacker attending to scar off windows XP users However the word goes around that allready several users and admins have been hacked by an mysterious hacker nicknamed 'The CyberWolf' if you want more information about this exploit and the exploit itself,then open the included email do not forget to vote for PacktStorm when running the attachment,Enjoy the rest of our services This email is provided to you by PacketStorm,please enjoy our services

Attachment:

Windows Xp Exploit.exe

Subject:

A Virtual joke...the funniest around!

Body:

hi have you heard about the CyberWolf-Joke? i hope you didn't cause i just sended it to you,check it out! its soooo funny you 'll laugh yourself a bunch when you see and hear the joke haha those little bastards on your screen are soooo funny:D:D just download and open the attached screensaver (The CyberWolf-Joke.scr = this is actually the joke) and look at it funny hu!!! after you have run the joke click ctrl+shift+p to see who made it. I hope you have fun with it greeetttzzz *********************************************************************** This email is presented to you by Joking-Soft,a division of MicroSoft. If you have any problems with this email or attachment then please contact us. We take full responsability for this email and attachements. They are virusfree and are property of Joking-Soft Please do not Sell or Distribute these atachments. I thank you

Attachment:

The CyberWolf-Joke.scr

Subject:

A kiss from me to you...

Body:

Dear User Someone has dropped a kiss in you're mailbox! Check-Out the attached Kiss from the anonymous person,probably a secret lover or a very good friend After you have been kissed please visit www.internetkiss.com and send this kiss to all the person who you adore or just like You are Nr.315723625 who has received this Internet-Kiss. This Internet-Kiss-Letter is started on 13/01/1997 and hopes to continue until 13/01/2007.

Attachment:

My Kiss for you.scr

Spreading via file sharing networks

The worm tries to locate Kazaa file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe Hotmail Hacker 2003-Xss Exploit.exe Netbios Nuker 2003.exe WinRar 3.xx Password Cracker.exe Microsoft KeyGenerator-Allmost all microsoft stuff.exe W32.CyberWolf@mm Fix.exe Kazaa SDK + Xbit speedUp for 2.xx.exe WinZipped Visual C++ Tutorial.exe XNuker 2003 2.93b.exe Edonkey2000-Speed me up scotty.exe Imesh SDK+Xbit Speed Up.exe PopUp remover 9.25.exe Credit Card Numbers generator(incl Visa,MasterCard,...).exe EA Games Keygen for All versions(only EA).exe Free mem-Games-SpeedUP.exe Security-2003-Update.exe Stripping MP3 dancer+crack.exe Crackologic(all windows Apps).exe

After that the worm tries to locate iMesh file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe Hotmail Hacker 2003-Xss Exploit.exe Netbios Nuker 2003.exe WinRar 3.xx Password Cracker.exe Microsoft KeyGenerator-Allmost all microsoft stuff.exe W32.CyberWolf@mm Fix.exe Kazaa SDK + Xbit speedUp for 2.xx.exe WinZipped Visual C++ Tutorial.exe XNuker 2003 2.93b.exe Edonkey2000-Speed me up scotty.exe Imesh SDK+Xbit Speed Up.exe PopUp remover 9.25.exe Credit Card Numbers generator(incl Visa,MasterCard,...).exe EA Games Keygen for All versions(only EA).exe Free mem-Games-SpeedUP.exe Security-2003-Update.exe Stripping MP3 dancer+crack.exe Crackologic(all windows Apps).exe

The worm copies itself to eDonkey file sharing client incoming/shared folders with the following names:

Edonkey2000-Ad remover.exe Hotmail Hacker 2003-Xss Exploit.exe Netbios Nuker 2003.exe WinRar 3.xx Password Cracker.exe EA Games Keygen for All versions(only EA).exe

The worm also copies itself to BearShare file sharing client shared folders with the following names:

Hotmail Hacker 2003-Xss Exploit.exe BearShare Pro 4.3.1 Beta Version.exe XNuker 2003 2.93b.exe Chaos Ip 2003-Xp compitable.exe

The worm copies itself to Grokster file sharing client shared folders with the following names:

Netbios Nuker 2003.exe Grokster ad-remover.exe Stripping mp3 dancer+crack.exe Trojan Utility 5.6.exe Winrar 3.xx password cracker.exe NetScan 1.6.exe Xss security exploit-hotmail.exe

The worm copies itself to Morpheus file sharing client shared folders with the following names:

Morpheus-Gold.exe WebSeek-Mp3.exe Chaos Ip.exe Netbios Exploiter Xp.exe

The worm copies itself to LimeWire file sharing client shared folders with the following names:

Credit card Generator CrackOlogic(all windows apps).exe Lunix-Download.exe

Payload

The worm can create a batch file with 'CyberWolf.bat' name and run it. This file has instructions to delete all EXE and DLL files. The worm uses this file to delete files in the following folders:

C:\Program Files\Common Files\Symantec Shared C:\Program Files\Norton AntiVirus\

The worm creates thousands of files containing its own copy with random names and extensions in Windows System folder. For example file name can be:

Dm3awasdm36571.mgp

Also the worm runs multiple copies of itself in memory and this overloads and eventually crashes Windows.

The worm creates a 'message' from the its author as CyberWolf.txt file in Windows folder. The link to this file is created on Windows desktop with the 'Hi there, I'm CyberWolf ' name. Here's a part of that message:

Hi there,I'm CyberWolf As you probably know,i infected your pc how does it feel being infected by CyberWolf without knowing this virus? Angry that you AV didn't stopped me? or just that i wrote this stupid virus who infected your pc? Well i have good new for you because unless the payload is triggered this virus won't hurt your pc! But when the BigTime Payload is triggered then your really in problems!!! It won't delete files from your pc but it just crashes 'em! when you read this file,the PayLoad is triggered!!! But only the little one that messes a bit with your pc but it doesn't delete files or so I recommend you to install an Av because i don't think you can delete this virus by yourself,its a worm you know. I'll give you some information about this virus---This part is intended for all AV systems

As a part of the payload, the worm tries to make an infected computer completely unusable by modifying the following settings:

cursorBlinkRate SwapMouseButtons DoubleClickSpeed KeyboardDelay KeyboardSpeed MenuShowDelay

The worm also prohibits to close or run Explorer.exe (one of the main Windows components), doesn't allow to log off, hides advanced settings of Explorer and does many other actions.

The worm changes the default startup page for Internet Explorer to 'Http://CyberWolf-has-bitten-you.com'. Also the worm changes computer name to 'CyberWolf'.