Threat Description

Cydog

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Cydog, I-Worm.Cydog, W32.HLLW.Cydog@mm

Summary


Cydog is an email and P2P worm. There are three known variants of this worm. F-Secure Anti-Virus detects them with the update published in the beginning of March 2003 as I-Worm.Cydog.a, I-Worm.Cydog.b and I-Worm.Cydog.c.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The worm is written in Visual Basic and is compressed with UPX file compressor. The worm's packed file size is about 35 kilobytes.

When run, the worm displays a fake error message:

Fatal error in Windows Kernell Please allow a 10 MINUTES acces for windows to send an error  report to microsoft in hope they solve this error This operation could take a few moments but it will help  microsoft to make an Windows Update If a dialog is prompted from MS Outlook then please click the  yes button to allow Windows to send the e-mail!  

Then the worm installs itself to system. It copies itself to Windows System directory with the following names:

taskmgr.exe  Rundll32.exe  Kernell32.exe  system32.exe  systems.exe  service.exe  regedit32.exe  Windows.scr  Ms-Dos.com  Windows Media Player Plugin.exe  

The worm creates startup keys for some of its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "CyberWolf" = "%windir%\CyberWolf.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "Windows Systems Service" = "%winsysdir%\service.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "Windows Kernell" = "%winsysdir%\kernel32.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "CyberWolf" = "%winsysdir%\CyberWolf.exe"  

The worm also creates startup keys for a few files that might not exist on an infected computer:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "dllhost" = "%windir%\dllhost.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]  "Windows Installer Service" = "%windir%\msiexec.exe"  

Additionally the worm copies itself to Windows directory with the following names:

explorer.exe  system.exe  CyberWolf.exe  

The worm modifies the default startup string for EXE files:

[HKCR\exefile\shell\open\command]  

This is done to run CyberWolf.exe file every time an executable file is started on an infected system.

The worm appends the following text to SYSTEM.INI file:

[driver32]  CyberWolf=W32.CyberWolf@mm  Has=Infected you  

The worm edits WIN.INI file and registers certain types of files to run with itself:

MP3  MPEG  MPG  WMA  

The worm terminates processes with the following names:

CCAPP.exe  zapro.exe  taskmgr.exe  NMAIN.exe  AVPCC.exe  AVP.exe  ANTI-TROJAN.exe  WEBSCAN.exe  NUPDATE.exe  NAVAPW32.exe  ESAFE.exe  BLACKICE.exe  CFIND.exe  KPFW32.exe  KPF.exe  LUALL.exe  AUPDATE.exe  QCONSOLE.exe  BOOTWARN.exe  CCSHTDWN.exe  AVPMON.exe  SCAN32.exe  FINDVIRU.exe  _AVP32.exe  
Spreading in E-mails

The worm sends itself to all e-mail addresses it can find in Outlook Address Book. The worm can send several different e-mail messages:

Subject:

EA and EIDOS Presents...  

Body:

Dear client  Some information about our long-awaited product:"CyberWolf"  CyberWolf is the newest product of Electronic Arts and Eidos Interactive!  Its a complete new technology which actualy speeds up you're  processor time needed to play game of EA and EIDOS  Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the  other games produced by these companies!  The technology behind these new product is something that clear  The speed and graphical abilities are increased by 35%,so  loading a new game wile go 35% faster!So more gameplay,less  waiting and looking at that dum screen! But it will take sometime for EA and EIDOS to alert all peoples  who has EA and EIDOS games,but...  They decided to mail the CyberWolf-Patch to users who have games  from EA and EIDOS and to people who visited the website within  the past 18 months!  also they decided to mail this patch to workers in companies and  to other people who are using the internet regulary  If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then  just install the attachment,restart you  wait until you buy a EA or EIDOS game,and enjoy it then!the  choice is yours! Before i forget:This patch seems to work on other games as  well,it speeds up those games by 15-30% depending on the game! ----------------------------------------------------------------- This e-mail and any attachment thereto may contain information  which is confidential, privileged or otherwise protected from  disclosure and/or protected by EA and EIDOS property rights.  This product may NOT be soled or copied!It may only be used by  the intended recipient and this only for the purpose for which  it has been sent  If you are not the intended recipient,then please contact EA or  EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this e-mail  and attachement  We believe and warrant that this e-mail and any attachments, are  virus free,we take full responsibility about this attachment CyberWolf For more information please contact us at  EE-CyberWolf.patch@EA-EIDOS.com or suft to  www.EA.com/project\cyberwolf.htm and www.eidos.com\cyberwolf.asp  E-mail provided to you by Elena (Elena@EA-EIDOS.com)  

Attachment:

CyberWolf-Patch.exe  

Subject:

PacketStorm:WINDOWS Xp has several exploits  

Body:

According to the redaction of PacketStorm  Windows Xp has several exploits which could not be removed because  if the do want to delete it then they should rewrite Kernell!  but this would mean rewriting everything Micrsoft had build up  over the last years  Bill Gates from microsoft reported that there is no exploit at  all!,it was just a joke from a hacker  attending to scar off windows XP users  However the word goes around that allready several users and  admins have been hacked by an mysterious hacker  nicknamed 'The CyberWolf'  if you want more information about this exploit and the exploit  itself,then open the included e-mail  do not forget to vote for PacktStorm when running the  attachment,Enjoy the rest of our services This email is provided to you by PacketStorm,please enjoy our services  

Attachment:

Windows Xp Exploit.exe  

Subject:

A Virtual joke...the funniest around!  

Body:

hi  have you heard about the CyberWolf-Joke?  i hope you didn't cause i just sended it to you,check it out!  its soooo funny you 'll laugh yourself a bunch when you see and hear the joke  haha those little bastards on your screen are soooo funny:D:D  just download and open the attached screensaver (The  CyberWolf-Joke.scr = this is actually the joke) and look at it  funny hu!!!  after you have run the joke click ctrl+shift+p to see who made it.  I hope you have fun with it  greeetttzzz *********************************************************************** This e-mail is presented to you by Joking-Soft,a division of MicroSoft.  If you have any problems with this e-mail or attachment then  please contact us.  We take full responsability for this e-mail and attachements.  They are virusfree and are property of Joking-Soft  Please do not Sell or Distribute these atachments.  I thank you  

Attachment:

The CyberWolf-Joke.scr  

Subject:

A kiss from me to you...  

Body:

Dear User  Someone has dropped a kiss in you're mailbox!  Check-Out the attached Kiss from the anonymous person,probably a  secret lover or a very good friend  After you have been kissed please visit www.internetkiss.com and  send this kiss to all the person who you adore or just like  You are Nr.315723625 who has received this Internet-Kiss.  This Internet-Kiss-Letter is started on 13/01/1997 and hopes to  continue until 13/01/2007.  

Attachment:

My Kiss for you.scr  
Spreading via file sharing networks

The worm tries to locate Kazaa file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe  Hotmail Hacker 2003-Xss Exploit.exe  Netbios Nuker 2003.exe  WinRar 3.xx Password Cracker.exe  Microsoft KeyGenerator-Allmost all microsoft stuff.exe  W32.CyberWolf@mm Fix.exe  Kazaa SDK + Xbit speedUp for 2.xx.exe  WinZipped Visual C++ Tutorial.exe  XNuker 2003 2.93b.exe  Edonkey2000-Speed me up scotty.exe  Imesh SDK+Xbit Speed Up.exe  PopUp remover 9.25.exe  Credit Card Numbers generator(incl Visa,MasterCard,...).exe  EA Games Keygen for All versions(only EA).exe  Free mem-Games-SpeedUP.exe  Security-2003-Update.exe  Stripping MP3 dancer+crack.exe  Crackologic(all windows Apps).exe  

After that the worm tries to locate iMesh file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe  Hotmail Hacker 2003-Xss Exploit.exe  Netbios Nuker 2003.exe  WinRar 3.xx Password Cracker.exe  Microsoft KeyGenerator-Allmost all microsoft stuff.exe  W32.CyberWolf@mm Fix.exe  Kazaa SDK + Xbit speedUp for 2.xx.exe  WinZipped Visual C++ Tutorial.exe  XNuker 2003 2.93b.exe  Edonkey2000-Speed me up scotty.exe  Imesh SDK+Xbit Speed Up.exe  PopUp remover 9.25.exe  Credit Card Numbers generator(incl Visa,MasterCard,...).exe  EA Games Keygen for All versions(only EA).exe  Free mem-Games-SpeedUP.exe  Security-2003-Update.exe  Stripping MP3 dancer+crack.exe  Crackologic(all windows Apps).exe  

The worm copies itself to eDonkey file sharing client incoming/shared folders with the following names:

Edonkey2000-Ad remover.exe  Hotmail Hacker 2003-Xss Exploit.exe  Netbios Nuker 2003.exe  WinRar 3.xx Password Cracker.exe  EA Games Keygen for All versions(only EA).exe  

The worm also copies itself to BearShare file sharing client shared folders with the following names:

Hotmail Hacker 2003-Xss Exploit.exe  BearShare Pro 4.3.1 Beta Version.exe  XNuker 2003 2.93b.exe  Chaos Ip 2003-Xp compitable.exe  

The worm copies itself to Grokster file sharing client shared folders with the following names:

Netbios Nuker 2003.exe  Grokster ad-remover.exe  Stripping mp3 dancer+crack.exe  Trojan Utility 5.6.exe  Winrar 3.xx password cracker.exe  NetScan 1.6.exe  Xss security exploit-hotmail.exe  

The worm copies itself to Morpheus file sharing client shared folders with the following names:

Morpheus-Gold.exe  WebSeek-Mp3.exe  Chaos Ip.exe  Netbios Exploiter Xp.exe  

The worm copies itself to LimeWire file sharing client shared folders with the following names:

Credit card Generator  CrackOlogic(all windows apps).exe  Lunix-Download.exe  
Payload

The worm can create a batch file with 'CyberWolf.bat' name and run it. This file has instructions to delete all EXE and DLL files. The worm uses this file to delete files in the following folders:

C:\Program Files\Common Files\Symantec Shared  C:\Program Files\Norton AntiVirus\  

The worm creates thousands of files containing its own copy with random names and extensions in Windows System folder. For example file name can be:

Dm3awasdm36571.mgp  

Also the worm runs multiple copies of itself in memory and this overloads and eventually crashes Windows.

The worm creates a 'message' from the its author as CyberWolf.txt file in Windows folder. The link to this file is created on Windows desktop with the 'Hi there, I'm CyberWolf ' name. Here's a part of that message:

Hi there,I'm CyberWolf  As you probably know,i infected your pc  how does it feel being infected by CyberWolf without knowing this virus?  Angry that you AV didn't stopped me?  or just that i wrote this stupid virus who infected your pc?  Well i have good new for you because unless the payload is  triggered this virus won't hurt your pc!   But when the BigTime Payload is triggered then your really in problems!!!  It won't delete files from your pc but it just crashes 'em!  when you read this file,the PayLoad is triggered!!!   But only the little one that messes a bit with your pc but it  doesn't delete files or so  I recommend you to install an Av because i don't think you can  delete this virus by yourself,its a worm you know.  I'll give you some information about this virus---This part is  intended for all AV systems  

As a part of the payload, the worm tries to make an infected computer completely unusable by modifying the following settings:

cursorBlinkRate SwapMouseButtons DoubleClickSpeed KeyboardDelay KeyboardSpeed MenuShowDelay

The worm also prohibits to close or run Explorer.exe (one of the main Windows components), doesn't allow to log off, hides advanced settings of Explorer and does many other actions.

The worm changes the default startup page for Internet Explorer to 'Http://CyberWolf-has-bitten-you.com'. Also the worm changes computer name to 'CyberWolf'.





Technical Details:Alexey Podrezov; F-Secure Corp.; March 19th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More