Threat Description

Kickin

Details

Category: Malware
Platform: W32
Aliases: Kickin, I-Worm.Cydog.c, W32/Cydog.D, W32/Kickin@MM, Cydog.D, W32/Kickin.A@mm

Summary


F-Secure received the first submission of Kickin worm on 7th of May 2003. However, the worm appeared in the wild a few days earlier - we received its notification messages before we got the actual sample.

This worm is 109056 bytes long and it's packed with UPX file compressor. Kickin is very similar to Cydog worm variants but it is rewritten in Visual C language. Kickin can spread via e-mail, IRC and peer-to-peer (P2P) networks Kazaa, Edonkey, Bearshare, Morpheus.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Infecting a system

When run, the worm copites itself to Windows directory as CYBERWOLF.EXE with hidden and system attributes. Additionally the worm copies itself to Windows System directory with the following names:

 mapi32.drv  format.com  SARS-Guide.scr  MsnMsgs.exe  Setup.exe  Virtual Joke.scr  Saddam-the real pics.scr  Christina Aguilera-The most beautiful girl on earth.scr  Soccer Database.exe  OutWar Demo.exe  Love.scr  Last Summer.scr  Hotmail Hacker.exe  FixSql.com  Q30215HOTFIX.pif  Api Hooking-Tutorial.exe  Kernel32.exe  Magical-Screensaver.scr     

The worm sets hidden and system attribute for Kernel32.exe file. It modifies the default EXE file startup key so that Kernel32.exe file is always started when a user runs an EXE file:

 [HKCR\exefile\shell\open\command]  @ =  "%winsysdir%\Kernel32.exe"%1"%*""   

The worm also creates two startup keys for its files in System Registry:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "CyberWolf" = "%windir%\CyberWolf.exe"  "Windows Kernel" = "%winsysdir%\Kernel32.exe"   

where %windir% represents Windows directory and %winsysdir% represents Windows System directory. This is done to make those two worm files start during every Windows session.

The worm modifies several Registry keys. These modifications make Windows hide file extensions and avoid showing files with hidden and system attributes.

Spreading in e-mail

The worm primarily spreads itself in infected e-mail messages. It collects e-mail addresses from Yahoo Messenger, MSN and .NET Messenger, ICQ, Windows Address Book and from HTML and EML files it can find on a hard disk.

Kickin worm has a list of SMTP servers that it tries to connect if a user's SMTP server is not available. It can send itself in messages with different subjects and bodies. Worm's attachment names are also different. Infected messages sent by the worm look as follows:

From:   Lovergirl@yahoo.com   Subject:   Fwd:Fwd:Fwd:Watch out for SARS!     

Body:

 ---ORIGINAL MESSAGE BODY---  FROM:  DATE:Tuesday, May 06, 2003 11:37:31  TO:  SUBJECT:Fwd:Watch out for SARS!    FROM:  DATE:Tuesday, May 06, 2003 11:37:31  TO:  SUBJECT:Fwd:FwdWatch out for SARS!    FROM:  DATE:Tuesday, May 06, 2003 11:37:31  TO:  SUBJECT:Fwd:Fwd:Fwd:Watch out for SARS!    SARS aka Severe Acute Respiration Syndrome is infecting more and  more people every day Soon it will get to USA,Europe,Asia,Africa  and Australia if we don't do something    Thats why we started this chain letter with a single attachment    Our mission is to make all people aware of the disease and to  give them a handy guide on how to protect themselves The  attachment(SARS-Guide) is a guide (like the name says;)) with  instructions for avoiding infection and what to do when infected    Ofcourse we cannot send this Guide to all people,thats why the  WHO(World Health Organisation) has made a deal with WISI(World  Internet Statistic Institute):For mail FORWARD of this email  WITH the Guide,0.50US$ will be transfered to the WHO bank  account They will use this money to make a vaccin for the SARS  Virus,and thus help mankind   If you want to participate to this project,and thus help man  kind,you should FORWARD this email to at least 1 person with  this Guide Attached Thas all you'll have to do    Do,'t forget!Every FORWARD is 0.50US$ more for the vaccin,a  vaccin is very expensive,so forward it if you want to  participate in helping mankind!    For more information contact:    Dick Thompson - Communication Officer  Communicable Disease Prevention, Control and Eradication WHO, Geneva  Telephone: (+41 22) 791 26 84  Email: thompsond@who.int    Attachment:   SARS-Guide.scr 

Please note that there is a real Mr. Dick Thompson working for WHO. Obviously he has nothing to do with this virus.

From:   Webmaster@planet-source-code.com    Subject: Api Hooking Tutorial...   Body:   Did you wanted to learn how to api hook? Here your chance!This tutorial explains all the basics AND moderate Api Hookings  Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer  After reading this tut you can even start Windows RootKit  Programming but ofcourse thats up to you to decide... The Tutorial attached in this e-mail is for privat use only and  may never be distributed under any curcumstances Provided to you by: Webmaster  and www.planet-source-code.com Attachment:   Api Hooking-Tutorial.exe      From:Support@microsoft.com  Subject:Windows Hotfix!  Body:   Attached is the HotFix for several bugs in Windows Operating Systems. The following Windows versions are vulnerable:  Windows Xp home and Pro edition (with/without SP1)  Windows ME,2000 and NT Home and Pro Edition(With/without SP)  Windows 98 Home,Pro and Special Edition(With/without SP)  The following Windows Operating Systems are not vulnerable:  Windows 95(All editions With or Without Sp  Microsoft IIS(all versions) If your Operating System is one of the vulnerable systems listed  above then Microsoft Corp. recommends you to install this HotFix  If you for some reason didn't install this hotfix,then your pc  will be vulnerable to this bugs allowing an attacker to Remote  Control your pc,or beeing infected with the infamous SqlSlammer.  Because this is an critical bug,Microsoft Corp. has send this  HotFix to all of his customors who use one of the OS's. For more information about this bug or about Microsoft  Corp.,please visit www.microsoft.com   Presented to you by:Microsoft HelpDesk      Attachment: Q30215HOTFIX.pif   From: SecurityResponse@symantec.com  Subject: Warning from Symantec.com  Body:   5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD A new very dangerous internet worm has been found in the  wild.This worms goes under the name W32.SqlSlammer.C@mm and has  the possibility to spread by several ports on your  pc(139,25,445,446,10252).  It will infect you without your knowlegde because it uses the  Sql Buffer Overflow exploit.Because of this its very hard for Av  companies and Microsoft to contain this thread.Thats why we  decided to protect our customors by sending then SqlFix and thus  protecting them from infection.  After installation the fix will determine if the SqlSlammer.C  has infected your pc and clean it.If it didn't infect it then it  will make sure it will never infect you by closing the bug in  your OS.  Simply run the attached fix and wait for the dialog to  prompt,select the  feature and wait till its  finished.    Sincerely,  Symantec Security Response Team  Symantec Corporation  Attachment: FixSql.com    From: Admin@hackers.com  Subject: u wanted to hack?  Body:  hi there,so you wanted to hack your friends hotmail account  huh,well use this xss-exploit tool to find his password within 3 minutes!!  Simply open it and enter your victims email ID and select   This will also work on Yahoo and Icq accounts  Admin@hackers.com    From: Lovergirl963@hotmail.com  Subject: Do you remember last summer?  Body:   hi  Do you remember we met last summer?  We became very good friends at the end huh!  Well i looked a bit over internet and i encountered your  Email,so i thought why not send him the pics from last summer  I've attached them in this email,there in ScreenSaver format,pls  reply to me if you liked them  See you soon again xxx  Love ya...    Attachment: Last Summer.scr    From:Lovergirl33@hotmail.com  Subject: Fwd:Fwd:Fwd:Sit back and be surprised...  Body:    ORIGINAL MESSAGE BODY: FROM:  DATE:Tuesday, May 06, 2003 13:37:31  TO:  SUBJECT:Fwd:Fwd:Sit back and be surprised... Magic in CyberSpace,its almost unbelievable! 1)Pick 3 numbers and write them down on a paper.  2)Add one of the following values to the 3  numbers:Love,Friendship and Sex.Write these values next to the  number  3)Pick 1 additional number and say it out loud 5 times  4)Now the sticky part:Choose 3 names of girls/boys who you like  and write them below on that paper.  5)Now open the Magical screensaver i attached,wrap the paper in  your left hand and close your eyes until you here the beep.  6)Open your eyes again and look at the screen.What the  screensaver displayed will be personal,so you'll have to be  alone in your room.Everything the screensaver displays will come  tru within the next 2 months,Only the Sex part will come tru  when your above 16. You don't have to forward this email but then your friends won't  get the chance to make their dreams come tru,So if you want your  friends to be happe,simply mail them the magic... Be aware!No cheating allowed,Once you have written those names  and values on your paper you cannot chance them!!!   Attachment:Magical-Screensaver.scr   From:Admin@screensavers.com  Subject: The Magical screensaver  Body:   Check out this magic screensaver.Its pure magic!!!  Follow these steps for the magic:  1)Pick 3 numbers and write them down on a paper.  2)Add one of the following values to the 3  numbers:Love,Friendship and Sex.Write these values next to the  number  3)Pick 1 additional number and say it out loud 5 times  4)Now the sticky part:Choose 3 names of girls/boys who you like  and write them below on that paper.  5)Now open the Magical screensaver i attached,wrap the paper in  your left hand and close your eyes until you here the beep.  6)Open your eyes again and look at the screen.What the  screensaver displayed will be personal,so you'll have to be  alone in your room.Everything the screensaver displays will come  tru within the next 2 months,Only the Sex part will come tru  when your above 16. Presented by Admin@screensavers.com   Attachment: Magical-Screensaver.scr  From: Webmaster@Loveforlife.com  Subject:Feel the reason why we fall in love...  Body:   It takes One minute to find someone special  One hour to like someone  1 Day to fall in love with someone  But it takes a lifetime to forget someone. If you have ever been in love then you'll know about what i am talking.  If you wanne have that same old feeling then open the  lovescreensaver and realise why we fall in love all the time...    Attachment:Love.scr  From: Webmaster@Outwar.comSubject:  Outwar is proud to present you:Outwar InterActive    Body:   After beeing succesfull for quit some years now and having more  then 20000 clients,it was time for something new.  Thats why we decided to take our OutWar into the game market and  developed OurWar InterActive  This game will be in shops late summer and will cost about 36$.  It will be avaible across the Usa,Europe,Australia and Asia.  Our release for Africa is scheduled early 2004. Because this will mean a lot of waiting,we developed the first  Official OutWar Int. Demo!  The attached file contains Installation Packet for the downloader.  Install it and download the game from our Private FTP  servers,and then enjoy it on your home pc!. Sincerely yours  Webmaster@outwar.com    Attachment:   OutWar Demo.exe From:   Soccerfan@yahoo.com Subject:   Fwd:Fwd:Fwd:Soccer... Body:   Ever wanted to see the best goals,the most beautiful freekicks  etc.with just 2 clicks with your mouse?  Ever wanted to acces the largest Soccer Database on the internet  where all goals from more then 25 international competitions  from the past 15 years are stored?  Here is your chance,this program has instant acces it,so you can  enjoy how Diego Maradonna scored ,or how  Johan Cruyff curled that ball into the goal...Enjoy! The database contains goals from countries  like:Spain,Italy,France,Germany,England,Belgium,The  Netherlands,Sweden,Finland and much more Also forward this to all football fans you know so they can  enjoy this to. Attachment:   Soccer Database.exe From:   Webmaster@beautifulgirls Subject:   Christina Aguilera:The most beautiful girl on earth Body:   Don't you think Christina Aguilera is the most beautiful girl on earth?  She is soo nice!!!  That clip  was amazing...  If you wanne see some hidden pics of that videoclip then check  out this screensaver  Its nice...Very nice,if you get what i mean ;) Webmaster@beautifulgirls.com Attachment:   Christina Aguilera-The most beautiful girl on earth.scr From:   webmaster@screensavers.com Subject:   Saddam alive and kickin' Body:   The whole world wants to know it,is saddam a live,or death?  Well somedays a go the britisch took secret spy cam pics,and  luckely someone has uploaded this pics to the internet,and now  their avaible!  You won't believe what you see!its amazing!!!The spy cam was  hidden inside a tower in Bagdad and it took pics from saddam and  his sons,they our 250m beneath the ground!  Check out the pics i attached,you won't believe what you see! Attachment:   Saddam-the real pics.scr From:   Admin@jokes.com Subject:   The Virtual Joke... Body:   Have you seen it yet?  You should because its soooooo funny,i wish the real jokes where that funny :)  Check out the attached screensaver and enjoy the pleasure of laughing... Attachment:   Virtual Joke.scr From:   flipbabe@hotmail.com Subject:   Fwd:Fwd:Whats really happening in bagdad Body:   ORIGINAL MESSAGE BODY: FROM:  DATE:Tuesday, May 06, 2003 13:37:31  TO:  SUBJECT:Fwd:Whats really happening in bagdad Someone of the britisch army has made some Secret Spy Cam  pics,and uploaded it to the internet!!  The pics show you exactly whats reall happened in Irak!Its  really not what you've seen on tv!  Check out the attached file and forward this to as much friends  so that they can all see what has really happened in Irak. FlipBabe xxx Attachment:   Saddam-the real pics.scr From:   mailinglist@Msn.com Subject:   Get the new Msn 5.1! Body:   Tired of the little nicknames in Msn,tired of all the limits?  Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever!  It allows nicknames up to 500 characters and has many new  functions who will make your cyberlife easyier and better!  Msn Messenger 5.1 is avaible for following Operating Systems:  Windows Xp  Windows ME and 2000  Windows 98 and NT  Is not avaible for:Windows 95 This version of msn messenger supports also Api's in Windows Xp  so you can make your own addons.  To download Msn Messenger 5.1 install the attached Root Setup. WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE  DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO  INSTALL THE ROOT SETUP.  If you don't want to install it then you'll have to wait for  another 5 weeks because of the juridical restricions.  Please do not forward this email.Every user who has Msn  Messenger installed will receive this email sooner or later,so  its up to them to decide to use the new version of not Sincerely yours:  The Msn Messenger Team  The Hotmail Team   Attachment: MsnMsgs.exe   From: nice_girl21@hotmail.com Subject: Fwd:How to protect yourself against SARS Body:   ORIGINAL MESSAGE BODY: FROM:  DATE:Tuesday, May 06, 2003 11:37:31  TO:  SUBJECT:Fwd:How to protect yourself against SARS SARS aka. Severe Acute Respiratory Syndrome is a worldwide health threat.  It was first discovered in China  But now,it has become a very big thread to all people in this world If no vaccin is found,soon more then 500.000 people will be infected with it  This vaccin is not yet made,so within this time the ONLY  protection humans have is prevention of infection Thats why we of HealthCare launched a project in which we will  send newsletters with information about SARS and with prevention  rules. Symptoms:High Fever(>38-C) AND one or more respiratory symptoms  including cough, shortness of breath, difficulty breathing Also  be aware of the following:close contact with a person who has  been diagnosed with SARS AND a recent history of travel to areas  reporting cases of SARS In addition to fever and respiratory  symptoms, SARS may be associated with other symptoms including:  headache, muscular stiffness, loss of appetite, malaise,  confusion, rash, and diarrhea. Until more is known about the cause of these outbreaks, WHO  (World Health Organization) recommends that all people read the  attached instructions of howto prevent beeing infected with SARS  and what to do when infection has occurred For more information contact: Dick Thompson - Communication Officer  Communicable Disease Prevention, Control and Eradication WHO, Geneva  Telephone: (+41 22) 791 26 84  Email: thompsond@who.int    Attachment: SARS-Guide.scr 
Spreading in P2P (peer-to-peer) networks

The worm has the ability to spread in peer-to-peer networks. It tries to locate shared folders of Kazaa, Edonkey, Bearshare and Morpheus file sharing clients and copies itself there with the following names:

Virus Creation ToolKit-VX v7.1_create virii with this tool,Klez.H and Sircam has been created with version 6.exe WebAttack-DoS Tool.exe FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe Yahoo Remote Password Cracker Deluxe 2003.exe AIM Remote Password Cracker.exe Hotmail Exploiter 2003.exe XNuker 2003.exe Ultimate HackProg.exe Msn Messenger Remote Password Cracker 2003.exe Netbios hacker.exe Chaos Ip Spoof 2003.exe People who download and run these files become infected with the worm.

Spreading in IRC networks

The worm spreads via IRC by replacing the SCRIPT.INI file of IRC client and creates its own script that sends the following messages to users joining a channel where an infected user is staying:

<user_nick> hi,im CyberWolf,15 and from austria and u? <user_nick> check out this crazy screensaver!its magic!!! Then the script sends the worm's file with the 'Magical-Screensaver.scr' name to a user with the nickname <user_nick>. When a user runs that file, he/she becomes infected with the worm.

Payload

The worm sends notification messages to anti-virus companies. Such messages look like that:

From:   twistmaster13@hotmail.com Subject:   Hi,i'm 100% sure i'm infected! Body:   mmm...if you received this mail,then someone has been infected  with W32.CyberWolf.B@mm => a new massmailer worm.  For every infection this worm does,you'll receive an email like this. It has never been my intention to cause your mailbox any harm,nor mailbomb it.  Its just so that you can have a quite accurate view on how many  infections..because most of the times,Av companies are miles  away from the real number...     

F-Secure has been receiving quite a large amount of such e-mails, sent from infected machines in China, Belgium and the Netherlands.

Depending on system time the worm can create text files in Windows directory: CyberWolf.txt or Windows.lOg. These files contain text messages from the author of the worm.

Depending on system time the worm can open Internet browser and go to the following sites:

 www.brain-hack.com  www.indiansnakes.cjb.net  www.christinaaguilera  www.catholicninjas.org/superfuntime/     

The worm kills the following processes belonging to anti-virus and security software:

 NETSERVICES  COMMAND  SYSHELP  RAVMOND  WINRPC  WINHELP  WINGATE  NPROTECT  CLEANER  WINDRIVER  TASKMGR  MSCONFIG  REGEDIT  ANTI-TROJAN  BLACKICE  ZONEALARM  LOCKDOWNADVANCED  NVC95  FP-WIN  IOMON98  PCCWIN98  F-PROT  F-STOPW  IAMSERV.EXE  NAVWNT  NAVRUNR  NAVLU32  NAVAPSVC  VSMON.EXE  SYMPROXYSVC  RESCUE32  NISSERV  VSECOMR  VETTRAY  TDS2-NT  CCAPP.EXE  SCAN32  PCFWALLICON  NSCHED32  SPHINX.EXE  FRW.EXE  MCAFEE  ATRACK  PVIEW.EXE  LUCOMSERVER  LUALL.EXE  NMAIN.EXE  NAVW32  NAVAPW32  VSSTAT  VSHWIN32  AVSYNMGR  AVCONSOL  WEBTRAP  POP3TRAP  PCCMAIN  PCCIOMON  ESAFE.EXE  AVPM.EXE  AVPCC.EXE  AMON.EXE  ALERTSVC  ZAPRO.EXE  AVP32  LOCKDOWN2000  AVP.EXE  CFINET32  CFINET  ICMON  SAFEWEB  WEBSCANX  IAMAPP   

The worm also does's allow the programs with the following names to run:

 Norton AntiVirus  LiveUpdate  System Configuration Utility  Process Viewer  Registry-Editor  Windows Task Manager 


Detection


F-Secure Anti-Virus detects Kickin worm with the updates published on May 7th, 2003:
Database: 2003-05-07_03



Description Details: Alexey Podrezov, Katrin Tocheva, Mikko Hypponen; F-Secure Corp.; May 7th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More