Classification

Category :

Malware

Type :

Worm

Aliases :

Cydog, I-Worm.Cydog, W32.HLLW.Cydog@mm

Summary

Cydog is an email and P2P worm. There are three known variants of this worm. F-Secure Anti-Virus detects them with the update published in the beginning of March 2003 as I-Worm.Cydog.a, I-Worm.Cydog.b and I-Worm.Cydog.c.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm is written in Visual Basic and is compressed with UPX file compressor. The worm's packed file size is about 35 kilobytes.

When run, the worm displays a fake error message:

Fatal error in Windows Kernell Please allow a 10 MINUTES acces for windows to send an error
report to microsoft in hope they solve this error This operation could take a few moments but it will help
microsoft to make an Windows Update If a dialog is prompted from MS Outlook then please click the
yes button to allow Windows to send the email!

Then the worm installs itself to system. It copies itself to Windows System directory with the following names:

taskmgr.exe
Rundll32.exe
Kernell32.exe
system32.exe
systems.exe
service.exe
regedit32.exe
Windows.scr
Ms-Dos.com
Windows Media Player Plugin.exe

The worm creates startup keys for some of its files in the Registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CyberWolf" = "%windir%\CyberWolf.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Systems Service" = "%winsysdir%\service.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Kernell" = "%winsysdir%\kernel32.exe" [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"CyberWolf" = "%winsysdir%\CyberWolf.exe"

The worm also creates startup keys for a few files that might not exist on an infected computer:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "%windir%\dllhost.exe" [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Installer Service" = "%windir%\msiexec.exe"

Additionally the worm copies itself to Windows directory with the following names:

explorer.exe
system.exe
CyberWolf.exe

The worm modifies the default startup string for EXE files:

[HKCR\exefile\shell\open\command]

This is done to run CyberWolf.exe file every time an executable file is started on an infected system.

The worm appends the following text to SYSTEM.INI file:

[driver32]
CyberWolf=W32.CyberWolf@mm
Has=Infected you

The worm edits WIN.INI file and registers certain types of files to run with itself:

MP3
MPEG
MPG
WMA

The worm terminates processes with the following names:

CCAPP.exe
zapro.exe
taskmgr.exe
NMAIN.exe
AVPCC.exe
AVP.exe
ANTI-TROJAN.exe
WEBSCAN.exe
NUPDATE.exe
NAVAPW32.exe
ESAFE.exe
BLACKICE.exe
CFIND.exe
KPFW32.exe
KPF.exe
LUALL.exe
AUPDATE.exe
QCONSOLE.exe
BOOTWARN.exe
CCSHTDWN.exe
AVPMON.exe
SCAN32.exe
FINDVIRU.exe
_AVP32.exe

Spreading in emails

The worm sends itself to all email addresses it can find in Outlook Address Book. The worm can send several different email messages:

Subject:

EA and EIDOS Presents...

Body:

Dear client
Some information about our long-awaited product:"CyberWolf"
CyberWolf is the newest product of Electronic Arts and Eidos Interactive!
Its a complete new technology which actualy speeds up you're
processor time needed to play game of EA and EIDOS
Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the
other games produced by these companies!
The technology behind these new product is something that clear
The speed and graphical abilities are increased by 35%,so
loading a new game wile go 35% faster!So more gameplay,less
waiting and looking at that dum screen! But it will take sometime for EA and EIDOS to alert all peoples
who has EA and EIDOS games,but...
They decided to mail the CyberWolf-Patch to users who have games
from EA and EIDOS and to people who visited the website within
the past 18 months!
also they decided to mail this patch to workers in companies and
to other people who are using the internet regulary
If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then
just install the attachment,restart you
wait until you buy a EA or EIDOS game,and enjoy it then!the
choice is yours! Before i forget:This patch seems to work on other games as
well,it speeds up those games by 15-30% depending on the game! ----------------------------------------------------------------- This email and any attachment thereto may contain information
which is confidential, privileged or otherwise protected from
disclosure and/or protected by EA and EIDOS property rights.
This product may NOT be soled or copied!It may only be used by
the intended recipient and this only for the purpose for which
it has been sent
If you are not the intended recipient,then please contact EA or
EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this email
and attachement
We believe and warrant that this email and any attachments, are
virus free,we take full responsibility about this attachment CyberWolf For more information please contact us at
EE-CyberWolf.patch@EA-EIDOS.com or suft to
www.EA.com/project\cyberwolf.htm and www.eidos.com\cyberwolf.asp
email provided to you by Elena (Elena@EA-EIDOS.com)

Attachment:

CyberWolf-Patch.exe

Subject:

PacketStorm:WINDOWS Xp has several exploits

Body:

According to the redaction of PacketStorm
Windows Xp has several exploits which could not be removed because
if the do want to delete it then they should rewrite Kernell!
but this would mean rewriting everything Micrsoft had build up
over the last years
Bill Gates from microsoft reported that there is no exploit at
all!,it was just a joke from a hacker
attending to scar off windows XP users
However the word goes around that allready several users and
admins have been hacked by an mysterious hacker
nicknamed 'The CyberWolf'
if you want more information about this exploit and the exploit
itself,then open the included email
do not forget to vote for PacktStorm when running the
attachment,Enjoy the rest of our services This email is provided to you by PacketStorm,please enjoy our services

Attachment:

Windows Xp Exploit.exe

Subject:

A Virtual joke...the funniest around!

Body:

hi
have you heard about the CyberWolf-Joke?
i hope you didn't cause i just sended it to you,check it out!
its soooo funny you 'll laugh yourself a bunch when you see and hear the joke
haha those little bastards on your screen are soooo funny:D:D
just download and open the attached screensaver (The
CyberWolf-Joke.scr = this is actually the joke) and look at it
funny hu!!!
after you have run the joke click ctrl+shift+p to see who made it.
I hope you have fun with it
greeetttzzz *********************************************************************** This email is presented to you by Joking-Soft,a division of MicroSoft.
If you have any problems with this email or attachment then
please contact us.
We take full responsability for this email and attachements.
They are virusfree and are property of Joking-Soft
Please do not Sell or Distribute these atachments.
I thank you

Attachment:

The CyberWolf-Joke.scr

Subject:

A kiss from me to you...

Body:

Dear User
Someone has dropped a kiss in you're mailbox!
Check-Out the attached Kiss from the anonymous person,probably a
secret lover or a very good friend
After you have been kissed please visit www.internetkiss.com and
send this kiss to all the person who you adore or just like
You are Nr.315723625 who has received this Internet-Kiss.
This Internet-Kiss-Letter is started on 13/01/1997 and hopes to
continue until 13/01/2007.

Attachment:

My Kiss for you.scr

Spreading via file sharing networks

The worm tries to locate Kazaa file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
W32.CyberWolf@mm Fix.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
WinZipped Visual C++ Tutorial.exe
XNuker 2003 2.93b.exe
Edonkey2000-Speed me up scotty.exe
Imesh SDK+Xbit Speed Up.exe
PopUp remover 9.25.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
EA Games Keygen for All versions(only EA).exe
Free mem-Games-SpeedUP.exe
Security-2003-Update.exe
Stripping MP3 dancer+crack.exe
Crackologic(all windows Apps).exe

After that the worm tries to locate iMesh file sharing client on a system. If this client is installed, the worm enables sharing and creates the subfolder in the shared folder with the name 'Windows Security Haches'. The worm copies itself to that folder with the following names:

Visual Basic 6.0 Msdn Plugin.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
W32.CyberWolf@mm Fix.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
WinZipped Visual C++ Tutorial.exe
XNuker 2003 2.93b.exe
Edonkey2000-Speed me up scotty.exe
Imesh SDK+Xbit Speed Up.exe
PopUp remover 9.25.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
EA Games Keygen for All versions(only EA).exe
Free mem-Games-SpeedUP.exe
Security-2003-Update.exe
Stripping MP3 dancer+crack.exe
Crackologic(all windows Apps).exe

The worm copies itself to eDonkey file sharing client incoming/shared folders with the following names:

Edonkey2000-Ad remover.exe
Hotmail Hacker 2003-Xss Exploit.exe
Netbios Nuker 2003.exe
WinRar 3.xx Password Cracker.exe
EA Games Keygen for All versions(only EA).exe

The worm also copies itself to BearShare file sharing client shared folders with the following names:

Hotmail Hacker 2003-Xss Exploit.exe
BearShare Pro 4.3.1 Beta Version.exe
XNuker 2003 2.93b.exe
Chaos Ip 2003-Xp compitable.exe

The worm copies itself to Grokster file sharing client shared folders with the following names:

Netbios Nuker 2003.exe
Grokster ad-remover.exe
Stripping mp3 dancer+crack.exe
Trojan Utility 5.6.exe
Winrar 3.xx password cracker.exe
NetScan 1.6.exe
Xss security exploit-hotmail.exe

The worm copies itself to Morpheus file sharing client shared folders with the following names:

Morpheus-Gold.exe
WebSeek-Mp3.exe
Chaos Ip.exe
Netbios Exploiter Xp.exe

The worm copies itself to LimeWire file sharing client shared folders with the following names:

Credit card Generator
CrackOlogic(all windows apps).exe
Lunix-Download.exe

Payload

The worm can create a batch file with 'CyberWolf.bat' name and run it. This file has instructions to delete all EXE and DLL files. The worm uses this file to delete files in the following folders:

C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton AntiVirus\

The worm creates thousands of files containing its own copy with random names and extensions in Windows System folder. For example file name can be:

Dm3awasdm36571.mgp

Also the worm runs multiple copies of itself in memory and this overloads and eventually crashes Windows.

The worm creates a 'message' from the its author as CyberWolf.txt file in Windows folder. The link to this file is created on Windows desktop with the 'Hi there, I'm CyberWolf ' name. Here's a part of that message:

Hi there,I'm CyberWolf
As you probably know,i infected your pc
how does it feel being infected by CyberWolf without knowing this virus?
Angry that you AV didn't stopped me?
or just that i wrote this stupid virus who infected your pc?
Well i have good new for you because unless the payload is
triggered this virus won't hurt your pc!
 But when the BigTime Payload is triggered then your really in problems!!!
It won't delete files from your pc but it just crashes 'em!
when you read this file,the PayLoad is triggered!!!
 But only the little one that messes a bit with your pc but it
doesn't delete files or so
I recommend you to install an Av because i don't think you can
delete this virus by yourself,its a worm you know.
I'll give you some information about this virus---This part is
intended for all AV systems

As a part of the payload, the worm tries to make an infected computer completely unusable by modifying the following settings:

cursorBlinkRate SwapMouseButtons DoubleClickSpeed KeyboardDelay KeyboardSpeed MenuShowDelay

The worm also prohibits to close or run Explorer.exe (one of the main Windows components), doesn't allow to log off, hides advanced settings of Explorer and does many other actions.

The worm changes the default startup page for Internet Explorer to 'Http://CyberWolf-has-bitten-you.com'. Also the worm changes computer name to 'CyberWolf'.