WORM_CYDOG.C

Malware type: Worm

Aliases: Email-Worm.Win32.Kickin.c (Kaspersky), W32/Kickin.gen@MM (McAfee), W32.HLLW.Kickin.A@mm (Symantec), Worm/Kickin.C.2 (Avira), W32/Kickin-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This variant of WORM_CYDOG.A spreads by sending itself via email using Microsoft Outlook to all addresses found in the infected systems Windows Address Book (WAB). Unlike its predecessor, however, this variant successfully attaches itself in the email messages that it sends out.

The subject of the email that it sends is chosen randomly from a list in the virus body while the message may be any of the following:

Message Body: SARS aka. Severe Acute Respiratory Syndrome is a worldwide health threat.
It was first discovered in China
But now,it has become a very big thread to all people in this world If no vaccin is found,soon more then 500.000 people will be infected with it

This vaccin is not yet made,so within this time the ONLY protection humans have is prevention of infection
Thats why we of HealthCare launched a project in which we will send newsletters with information about SARS and with prevention rules. Symptoms:High Fever(>38
C) AND one or more respiratory symptoms including cough, shortness of breath, difficulty breathing
Also be aware of the following:close contact with a person who has been diagnosed with SARS AND a recent history of travel to areas reporting cases of SARS
In addition to fever and respiratory symptoms, SARS may be associated with other symptoms including: headache, muscular stiffness, loss of appetite, malaise, confusion, rash, and diarrhea.
Until more is known about the cause of these outbreaks, WHO (World Health Organization) recommends that all people read the attached instructions of howto prevent beeing infected with SARS and what to do when infection has occurred
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (%2041 22) 791 26 84
Email: thompsond@who.int

Message Body:
Tired of the little nicknames in Msn,tired of all the limits? Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever!
It allows nicknames up to 500 characters and has many new functions who will make your cyberlife easyier and better!
Msn Messenger 5.1 is avaible for following Operating Systems:
Windows Xp
Windows ME and 2000
Windows 98 and NT
Is not avaible for:Windows 95
This version of msn messenger supports also Api's in Windows Xp so you can make your own addons.
To download Msn Messenger 5.1 install the attached Root Setup. WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP.
If you don't want to install it then you'll have to wait for another 5 weeks because of the juridical restricions.
Please do not forward this email.Every user who has Msn Messenger installed will receive this email sooner or later,so its up to them to decide to use the new version of not
Sincerely yours:
The Msn Messenger Team

Message Body: Someone of the britisch army has made some Secret Spy Cam pics,and uploaded it to the internet!!
The pics show you exactly whats reall happened in Irak!Its really not what you've seen on tv!
Check out the attached file and forward this to as much friends so that they can all see what has really happened in Irak.
FlipBabe xxx

Message Body:Have you seen it yet?
You should because its soooooo funny,i wish the real jokes where that funny :)
Check out the attached screensaver and enjoy the pleasure of
laughing...
The Virtual Joke...
Admin@jokes.com

Message Body:The whole world wants to know it,is saddam a live,or death?
Well somedays a go the britisch took secret spy cam pics,and luckely someone has uploaded this pics to the internet,and now their avaible! You won't believe what you see!its amazing!!!The spy cam was hidden inside a tower in Bagdad and it took pics from saddam and his sons,they our 250m beneath the ground!
Check out the pics i attached,you won't believe what you see!
Saddam alive and kickin'
webmaster@screensavers.com

Message Body: Don't you think Christina Aguilera is the most beautiful girl on earth?
She is soo nice!!!
That clip was amazing...
If you wanne see some hidden pics of that videoclip then check out this screensaver
Its nice...Very nice,if you get what i mean ;)
Webmaster@beautifulgirls.com

Message Body: Ever wanted to see the best goals,the most beautiful freekicks
etc.with just 2 clicks with your mouse?
Ever wanted to acces the largest Soccer Database on the internet
where all goals from more then 25 international competitions from the past 15 years are stored?
Here is your chance,this program has instant acces it,so you can
enjoy how Diego Maradonna scored <with the hand of god>,or
how Johan Cruyff curled that ball into the goal...Enjoy!
The database contains goals from countries
like:Spain,Italy,France,Germany,England,Belgium,The
Netherlands,Sweden,Finland and much more
Also forward this to all football fans you know so they can enjoy
this to.

Message Body: Fwd:Fwd:Fwd:Soccer...
After beeing succesfull for quit some years now and having more then 20000 clients,it was time for something new.
Thats why we decided to take our OutWar into the game market and developed OurWar InterActive
This game will be in shops late summer and will cost about 36$.
It will be avaible across the Usa,Europe,Australia and Asia.Our
release for Africa is scheduled early 2004.
Because this will mean a lot of waiting,we developed the first Official OutWar Int. Demo!
The attached file contains Installation Packet for the downloader. Install it and download the game from our Private FTP servers,and then enjoy it on your home pc!.
Sincerely yours
Webmaster@outwar.com

Message Body: It takes One minute to find someone special
One hour to like someone
1 Day to fall in love with someone
But it takes a lifetime to forget someone.
If you have ever been in love then you'll know about what i am
talking.
If you wanne have that same old feeling then open the lovescreensaver and realise why we fall in love all the time...
Feel the reason why we fall in love...
Webmaster@Loveforlife.com

Message Body: Check out this magic screensaver.Its pure magic!!!
Follow these steps for the magic:1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship
and Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep.
)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16. Presented by Admin@screensavers.com
The Magical screensaver
Admin@screensavers.com

Message Body: SUBJECT:Fwd:Fwd:Sit back and be surprised...
Magic in CyberSpace,its almost unbelievable!
1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship
and Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
5)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep. 6)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16. You don't have to forward this email but then your friends won't get the chance to make their dreams come tru,So if you want your friends to be happe,simply mail them the magic...
Be aware!No cheating allowed,Once you have written those names and values on your paper you cannot chance them!!!

Message Body: Fwd:Fwd:Fwd:Sit back and be surprised...
Do you remember we met last summer?
We became very good friends at the end huh!
Well i looked a bit over internet and i encountered your Email,so i
thought why not send him the pics from last summer
I've attached them in this email,there in ScreenSaver format,pls
reply to me if you liked them
See you soon again xxx
Love ya...

Message Body: hi there,so you wanted to hack your friends hotmail account huh,well use this xss-exploit tool to find his password within 3 minutes!! Simply open it and enter your victims email ID and select <hack> This will also work on Yahoo and Icq accounts
Admin@hackers.com

Message Body: 5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD
A new very dangerous internet worm has been found in the wild.This worms goes under the name W32.SqlSlammer.C@mm and has the possibility to spread by several ports on your pc(139,25,445,446,10252). It will infect you without your knowlegde because it uses the Sql Buffer Overflow exploit.Because of this its very hard for Av companies and Microsoft to contain this thread.Thats why we decided to protect our customors by sending then SqlFix and thus protecting them from infection.
After installation the fix will determine if the SqlSlammer.C has infected your pc and clean it.If it didn't infect it then it will make sure it will never infect you by closing the bug in your OS. Simply run the attached fix and wait for the dialog to prompt,select the <Full Clean> feature and wait till its finished.
Sincerely,
Symantec Security Response Team

Message Body: Attached is the HotFix for several bugs in Windows Operating Systems. The following Windows versions are vulnerable:
Windows Xp home and Pro edition (with/without SP1)
Windows ME,2000 and NT Home and Pro Edition(With/without SP)
Windows 98 Home,Pro and Special Edition(With/without SP)
The following Windows Operating Systems are not vulnerable:
Windows 95(All editions With or Without Sp
Microsoft IIS(all versions)
If your Operating System is one of the vulnerable systems listed above then Microsoft Corp. recommends you to install this HotFix If you for some reason didn't install this hotfix,then your pc will be vulnerable to this bugs allowing an attacker to Remote Control your pc,or beeing infected with the infamous SqlSlammer.
Because this is an critical bug,Microsoft Corp. has send this HotFix to all of his customors who use one of the OS's.
For more information about this bug or about Microsoft Corp.,please visit www.microsoft.com
Presented to you by:Microsoft HelpDesk<Support@microsoftcom>
Support@microsoft.com

Message Body: Did you wanted to learn how to api hook?
Here your chance!This tutorial explains all the basics AND moderate Api Hookings
Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer
After reading this tut you can even start Windows RootKit Programming but ofcourse thats up to you to decide...
The Tutorial attached in this e-mail is for privat use only and may never be distributed under any curcumstances
Provided to you by: Webmaster<Webmaster@planet-source-code.com> and www.planet-<BLOCKED>-code.com

Message Body: SARS aka Severe Acute Respiration Syndrome is infecting more and more people every day
Soon it will get to USA,Europe,Asia,Africa and Australia if we don't do something
Thats why we started this chain letter with a single attachment Our mission is to make all people aware of the disease and to give them a handy guide on how to protect themselves
The attachment(SARS-Guide) is a guide (like the name says;)) with instructions for avoiding infection and what to do when infected Ofcourse we cannot send this Guide to all people,thats why the WHO(World Health Organisation) has made a deal with WISI(World Internet Statistic Institute):For mail FORWARD of this email WITH the Guide,0.50US$ will be transfered to the WHO bank account

They will use this money to make a vaccin for the SARS Virus,and thus help mankind
If you want to participate to this project,and thus help mankind,you should FORWARD this email to at least 1 person with this Guide Attached
Thas all you'll have to do
Do,'t forget!Every FORWARD is 0.50US$ more for the vaccin,a vaccin is very expensive,so forward it if you want to participate in helping mankind!
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (%2041 22) 791 26 84
Email: thompsond@who.int
Fwd:Fwd:Fwd:Watch out for SARS!

Aside from email, this worm also propagates through mIRC, MSN Messenger, Yahoo Messenger and ICQ and is also capable of terminating antivirus processes.

For additional information about this threat, see:

Description created: May. 8, 2003 10:11:43 AM GMT -0800
Description updated: May. 8, 2003 12:27:57 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 249,856 Bytes

Initial samples received on: May 9, 2003

Variant ofWORM_CYDOG.A

Payload 1: Mass-mails copies of itself

Details:

This memory-resident worm sends itself to target users via email, mIRC, MSN Messenger, Yahoo Messenger, and ICQ.

Installation

Upon execution, it drops copies of itself as the following files in the corresponding directories:

  • %Windows%\CyberWolf.exe
  • %System%\Kernel32.exe
  • %System%\Api Hooking-Tutorial.exe
  • %System%\Q30215HOTFIX.pif
  • %System%\FixSql.com
  • %System%\Hotmail Hacker.exe
  • %System%\Last Summer.scr
  • %System%\Magical-Screensaver.scr
  • %System%\Love.scr
  • %System%\OutWar Demo.exe
  • %System%\Soccer Database.exe
  • %System%\Christina Aguilera-The most beautiful girl on earth.scr
  • %System%\Saddam-the real pics.scr
  • %System%\Virtual Joke.scr
  • %System%\Setup.exe
  • %System%\MsnMsgs.exe
  • %System%\SARS-Guide.scr
  • %System%\format.com
  • %System%\mapi32.drv

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

To ensure its automatic execution at every Windows startup, it creates the following autorun entries in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
CyberWolf = "%Windows%\CyberWolf.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Kernel = "%System%\Kernel32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
System = "%System%\Kernel32.exe"

It also modifies the registry so that it executes every time an .EXE file is run:

HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%System%\Kernel32.exe"%1"%*"

This worm also sets the following registry entries as such:

HKEY_USERS\WinME\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced
Hidden = 2

HKEY_USERS\WinME\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced
HideFileExt = 1

Mass-mailing Routine

Using Microsoft Outlook, this worm mass-mails copies of itself to all email addresses found in the infected system�s Windows Address book. It also gathers email address from �*.*ml*� and �*.*ht*� files and may query ICQ, MSN messenger, Yahoo messenger contact lists for email addresses.

(Note: The asterisk (*) is a wildcard character representing zero or more characters.)

The subject of the email that it sends out is usually blank or is randomly chosen from a list in the virus body while the message body is any of the following:

Message Body: SARS aka. Severe Acute Respiratory Syndrome is a worldwide health threat.
It was first discovered in China
But now,it has become a very big thread to all people in this world If no vaccin is found,soon more then 500.000 people will be infected with it

This vaccin is not yet made,so within this time the ONLY protection humans have is prevention of infection
Thats why we of HealthCare launched a project in which we will send newsletters with information about SARS and with prevention rules. Symptoms:High Fever(>38
C) AND one or more respiratory symptoms including cough, shortness of breath, difficulty breathing
Also be aware of the following:close contact with a person who has been diagnosed with SARS AND a recent history of travel to areas reporting cases of SARS
In addition to fever and respiratory symptoms, SARS may be associated with other symptoms including: headache, muscular stiffness, loss of appetite, malaise, confusion, rash, and diarrhea.
Until more is known about the cause of these outbreaks, WHO (World Health Organization) recommends that all people read the attached instructions of howto prevent beeing infected with SARS and what to do when infection has occurred
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (%2041 22) 791 26 84
Email: thompsond@who.int

Message Body:
Tired of the little nicknames in Msn,tired of all the limits? Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever!
It allows nicknames up to 500 characters and has many new functions who will make your cyberlife easyier and better!
Msn Messenger 5.1 is avaible for following Operating Systems:
Windows Xp
Windows ME and 2000
Windows 98 and NT
Is not avaible for:Windows 95
This version of msn messenger supports also Api's in Windows Xp so you can make your own addons.
To download Msn Messenger 5.1 install the attached Root Setup. WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP.
If you don't want to install it then you'll have to wait for another 5 weeks because of the juridical restricions.
Please do not forward this email.Every user who has Msn Messenger installed will receive this email sooner or later,so its up to them to decide to use the new version of not
Sincerely yours:
The Msn Messenger Team

Message Body: Someone of the britisch army has made some Secret Spy Cam pics,and uploaded it to the internet!!
The pics show you exactly whats reall happened in Irak!Its really not what you've seen on tv!
Check out the attached file and forward this to as much friends so that they can all see what has really happened in Irak.
FlipBabe xxx

Message Body:Have you seen it yet?
You should because its soooooo funny,i wish the real jokes where that funny :)
Check out the attached screensaver and enjoy the pleasure of
laughing...
The Virtual Joke...
Admin@jokes.com

Message Body:The whole world wants to know it,is saddam a live,or death?
Well somedays a go the britisch took secret spy cam pics,and luckely someone has uploaded this pics to the internet,and now their avaible! You won't believe what you see!its amazing!!!The spy cam was hidden inside a tower in Bagdad and it took pics from saddam and his sons,they our 250m beneath the ground!
Check out the pics i attached,you won't believe what you see!
Saddam alive and kickin'
webmaster@screensavers.com

Message Body: Don't you think Christina Aguilera is the most beautiful girl on earth?
She is soo nice!!!
That clip was amazing...
If you wanne see some hidden pics of that videoclip then check out this screensaver
Its nice...Very nice,if you get what i mean ;)
Webmaster@beautifulgirls.com

Message Body: Ever wanted to see the best goals,the most beautiful freekicks
etc.with just 2 clicks with your mouse?
Ever wanted to acces the largest Soccer Database on the internet
where all goals from more then 25 international competitions from the past 15 years are stored?
Here is your chance,this program has instant acces it,so you can
enjoy how Diego Maradonna scored <with the hand of god>,or
how Johan Cruyff curled that ball into the goal...Enjoy!
The database contains goals from countries
like:Spain,Italy,France,Germany,England,Belgium,The
Netherlands,Sweden,Finland and much more
Also forward this to all football fans you know so they can enjoy
this to.

Message Body: Fwd:Fwd:Fwd:Soccer...
After beeing succesfull for quit some years now and having more then 20000 clients,it was time for something new.
Thats why we decided to take our OutWar into the game market and developed OurWar InterActive
This game will be in shops late summer and will cost about 36$.
It will be avaible across the Usa,Europe,Australia and Asia.Our
release for Africa is scheduled early 2004.
Because this will mean a lot of waiting,we developed the first Official OutWar Int. Demo!
The attached file contains Installation Packet for the downloader. Install it and download the game from our Private FTP servers,and then enjoy it on your home pc!.
Sincerely yours
Webmaster@outwar.com

Message Body: It takes One minute to find someone special
One hour to like someone
1 Day to fall in love with someone
But it takes a lifetime to forget someone.
If you have ever been in love then you'll know about what i am
talking.
If you wanne have that same old feeling then open the lovescreensaver and realise why we fall in love all the time...
Feel the reason why we fall in love...
Webmaster@Loveforlife.com

Message Body: Check out this magic screensaver.Its pure magic!!!
Follow these steps for the magic:1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship
and Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep.
)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16. Presented by Admin@screensavers.com
The Magical screensaver
Admin@screensavers.com

Message Body: SUBJECT:Fwd:Fwd:Sit back and be surprised...
Magic in CyberSpace,its almost unbelievable!
1)Pick 3 numbers and write them down on a paper.
2)Add one of the following values to the 3 numbers:Love,Friendship
and Sex.Write these values next to the number
3)Pick 1 additional number and say it out loud 5 times
4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
5)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep. 6)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16. You don't have to forward this email but then your friends won't get the chance to make their dreams come tru,So if you want your friends to be happe,simply mail them the magic...
Be aware!No cheating allowed,Once you have written those names and values on your paper you cannot chance them!!!

Message Body: Fwd:Fwd:Fwd:Sit back and be surprised...
Do you remember we met last summer?
We became very good friends at the end huh!
Well i looked a bit over internet and i encountered your Email,so i
thought why not send him the pics from last summer
I've attached them in this email,there in ScreenSaver format,pls
reply to me if you liked them
See you soon again xxx
Love ya...

Message Body: hi there,so you wanted to hack your friends hotmail account huh,well use this xss-exploit tool to find his password within 3 minutes!! Simply open it and enter your victims email ID and select <hack> This will also work on Yahoo and Icq accounts
Admin@hackers.com

Message Body: 5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD
A new very dangerous internet worm has been found in the wild.This worms goes under the name W32.SqlSlammer.C@mm and has the possibility to spread by several ports on your pc(139,25,445,446,10252). It will infect you without your knowlegde because it uses the Sql Buffer Overflow exploit.Because of this its very hard for Av companies and Microsoft to contain this thread.Thats why we decided to protect our customors by sending then SqlFix and thus protecting them from infection.
After installation the fix will determine if the SqlSlammer.C has infected your pc and clean it.If it didn't infect it then it will make sure it will never infect you by closing the bug in your OS. Simply run the attached fix and wait for the dialog to prompt,select the <Full Clean> feature and wait till its finished.
Sincerely,
Symantec Security Response Team

Message Body: Attached is the HotFix for several bugs in Windows Operating Systems. The following Windows versions are vulnerable:
Windows Xp home and Pro edition (with/without SP1)
Windows ME,2000 and NT Home and Pro Edition(With/without SP)
Windows 98 Home,Pro and Special Edition(With/without SP)
The following Windows Operating Systems are not vulnerable:
Windows 95(All editions With or Without Sp
Microsoft IIS(all versions)
If your Operating System is one of the vulnerable systems listed above then Microsoft Corp. recommends you to install this HotFix If you for some reason didn't install this hotfix,then your pc will be vulnerable to this bugs allowing an attacker to Remote Control your pc,or beeing infected with the infamous SqlSlammer.
Because this is an critical bug,Microsoft Corp. has send this HotFix to all of his customors who use one of the OS's.
For more information about this bug or about Microsoft Corp.,please visit www.microsoft.com
Presented to you by:Microsoft HelpDesk<Support@microsoftcom>
Support@microsoft.com

Message Body: Did you wanted to learn how to api hook?
Here your chance!This tutorial explains all the basics AND moderate Api Hookings
Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer
After reading this tut you can even start Windows RootKit Programming but ofcourse thats up to you to decide...
The Tutorial attached in this e-mail is for privat use only and may never be distributed under any curcumstances
Provided to you by: Webmaster<Webmaster@planet-source-code.com> and www.planet-<BLOCKED>-code.com

Message Body: SARS aka Severe Acute Respiration Syndrome is infecting more and more people every day
Soon it will get to USA,Europe,Asia,Africa and Australia if we don't do something
Thats why we started this chain letter with a single attachment Our mission is to make all people aware of the disease and to give them a handy guide on how to protect themselves
The attachment(SARS-Guide) is a guide (like the name says;)) with instructions for avoiding infection and what to do when infected Ofcourse we cannot send this Guide to all people,thats why the WHO(World Health Organisation) has made a deal with WISI(World Internet Statistic Institute):For mail FORWARD of this email WITH the Guide,0.50US$ will be transfered to the WHO bank account

They will use this money to make a vaccin for the SARS Virus,and thus help mankind
If you want to participate to this project,and thus help mankind,you should FORWARD this email to at least 1 person with this Guide Attached
Thas all you'll have to do
Do,'t forget!Every FORWARD is 0.50US$ more for the vaccin,a vaccin is very expensive,so forward it if you want to participate in helping mankind!
For more information contact:
Dick Thompson - Communication Officer
Communicable Disease Prevention, Control and Eradication WHO, Geneva
Telephone: (%2041 22) 791 26 84
Email: thompsond@who.int
Fwd:Fwd:Fwd:Watch out for SARS!

Propagation via IRC

To propagate via IRC, this worm drops a malicious SCRIPT.INI file on the infected system. This dropped file configures mIRC to send a copy of the worm to other users who are connected to the same IRC channel as the infected user.

Trend Micro detects this malicious SCRIPT.INI as IRC_CYDOG.D.

Peer-to-peer Propagation

This worm first locates the Kazaa shared folder by querying the following registry entry:

HKEY_CURRENT_USER\Software\LocalContent
Downloadir

If it finds the Kazaa shard folder, it drops the following copies of itself:

  • Chaos Ip Spoof 2003.exe
  • Netbios hacker.exe
  • Msn Messenger Remote Password Cracker.exe
  • Ultimate HackProg.exe
  • XNuker 2003.exe
  • Hotmail Exploiter 2003.exe

It also checks for the presence of the following folders to propagate through other peer-to-peer networks:

  • C:\Program Files\Edonkey2000\Incoming
  • C:\Program Files\BearShare\Shared
  • C:\Program Files\Morpheus\My Shared Folder

If the folders are found, it drops the following copies of itself into them:

  • Chaos Ip Spoof 2003.exe
  • Msn Messenger Remote Password Cracker.exe
  • Netbios hacker.exe
  • WebAttack-Dos Tool.exe
  • Yahoo Remote Password Cracker Deluxe 2003.exe

Antivirus Retaliation

This worm also attempts to terminate the following processes, which are mostly related to antivirus products:

  • ALERTSVC
  • AMON.EXE
  • ANTI-TROJAN
  • ATRACK
  • AVCONSOL
  • AVP.EXE
  • AVP32
  • AVPCC.EXE
  • AVPM.EXE
  • AVSYNMGR
  • BLACKICE
  • CCAPP.EXE
  • CFINET
  • CFINET32
  • CLEANER
  • COMMAND
  • ESAFE.EXE
  • F-PROT
  • FP-WIN
  • FRW.EXE
  • F-STOPW
  • IAMAPP
  • IAMSERV.EXE
  • ICMON
  • IOMON98
  • LOCKDOWN2000
  • LOCKDOWNADVANCED
  • LUALL.EXE
  • LUCOMSERVER
  • MCAFEE
  • MSCONFIG
  • NAVAPSVC
  • NAVAPW32
  • NAVLU32
  • NAVRUNR
  • NAVW32
  • NAVWNT
  • NETSERVICES
  • NISSERV
  • NMAIN.EXE
  • NPROTECT
  • NSCHED32
  • NVC95
  • PCCIOMON
  • PCCMAIN
  • PCCWIN98
  • PCFWALLICON
  • POP3TRAP
  • PVIEW.EXE
  • RAVMOND
  • REGEDIT
  • RESCUE32
  • SAFEWEB
  • SCAN32
  • SPHINX.EXE
  • SYMPROXYSVC
  • SYSHELP
  • TASKMGR
  • TDS2-NT
  • VETTRAY
  • VSECOMR
  • VSHWIN32
  • VSMON.EXE
  • VSSTAT
  • WEBSCANX
  • WEBTRAP
  • WINDRIVER
  • WINGATE
  • WINHELP
  • WINRPC
  • ZAPRO.EXE
  • ZONEALARM

Other Details

This worm also checks for memory residency using an ATOM name �Afx0ldWndProc423�. It also opens the following Web sites:

  • www.india<blocked>nakes.cjb.net
  • www.brai<blocked>ack.com
  • www.christin<blocked>guilera.com

If the current day of week is 1 (Monday), this worm sleeps for 5000 seconds and opens the default browser to www.catholi<blocked>injas.org/superfuntime/

This worm also creates the text file cyberwolf.txt in the Windows directory.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.529.12

Pattern release date: May 9, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_CYDOG.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Addressing Registry Shell Spawning

Registry shell spawning executes the malware whenever a user opens files with EXE, PIF, COM, BAT, or HTA extensions. The following procedures should restore the registry to its original settings.

  1. Click Start>Run.
  2. In the Open input box, type:
    command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
  3. Press Enter.
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile>shell>open>command
  5. In the right panel, locate the registry entry:
    Default
  6. Check whether its value is the path and filename of the malware file.
  7. If the value is the malware file, right-click Default and select Modify to change its value.
  8. In the Value data input box, delete the existing value and type the default value:
    "%1"%*
  9. Close Registry Editor.
  10. Click Start>Run, then type:
    command /c del regedit.com
  11. Press Enter.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    CyberWolf = "%Windows%\CyberWolf.exe"
    Windows Kernel = "%System%\Kernel32.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.)
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    WindowsNT>CurrentVersion>Winlogon
  5. In the right panel, locate and delete the entry or entries:
    System = "%System%\Kernel32.exe"
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_CYDOG.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.