Home / malwarePDF  

Win32.Cydog.C@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Cydog.C@mm is also known as Win32/Kickin.A@mm, /, I-Worm.Cydog.c, /, W32.HLLW.Kickin.A@mm, /, WORM_CYDOG.C, /, Win32.HLLM.Cydog.

Explanation :

Win32.Cydog.C@mm is a mass-mailer that can spread through e-mail, kazaa and some other peer-to-peer programs and Mirc.
It has its own SMTP engine and it will use the default smtp server found in registry as well as hardcoded values to send e-mails with itself as attachment.

Once executed, the worm does the following:
Creates a mutex called "W32.Hllw.Cydog.D@mm by CyberWolf" and also the events "Die by Technology" and "CyberWolf".
Creates the aforementioned files and registry keys, with the "hidden" attribute set.
It stays resident in memory, thus it will terminate when attempting to execute all processes named :
"Norton AntiVirus"
"LiveUpdate"
"System Configuration Utility"
"Process Viewer"
"Registry-Editor"
"Windows Task Manager"
and will not allow execution of exe files whose name contain:
NETSERVICES
COMMAND
SYSHELP
RAVMOND
WINRPC
WINHELP
WINGATE
NPROTECT
CLEANER
WINDRIVER
TASKMGR
MSCONFIG
REGEDIT
ANTI-TROJAN
BLACKICE
ZONEALARM
LOCKDOWNADVANCED
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT
F-STOPW
IAMSERV.EXE
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
VSMON.EXE
SYMPROXYSVC
RESCUE32
NISSERV
VSECOMR
VETTRAY
TDS2-NT
CCAPP.EXE
SCAN32
PCFWALLICON
NSCHED32
SPHINX.EXE
FRW.EXE
MCAFEE
ATRACK
PVIEW.EXE
LUCOMSERVER
LUALL.EXE
NMAIN.EXE
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON
ESAFE.EXE
AVPM.EXE
AVPCC.EXE
AMON.EXE
ALERTSVC
ZAPRO.EXE
AVP32
LOCKDOWN2000
AVP.EXE
CFINET32
CFINET
ICMON
SAFEWEB
WEBSCANX
IAMAP

It harvests e-mails by searching for files that match "*.*ht*" and "*.*ml*" in the default wab file, Internet Explorer cache, also by following the registry keys:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
[HKEY_LOCAL_MACHINESoftwareMicrosoftMessenger ServiceListCacheMSN Messenger Service]
[HKEY_LOCAL_MACHINESoftwareMicrosoftMessenger ServiceListCache.NET Messenger Service]
[HKEY_LOCAL_MACHINESoftwareYahooPagerprofiles\%version%IMVironmentsRecent]
[HKEY_LOCAL_MACHINESoftwareYahooPagerprofiles]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWABWAB4Wab File Name]
[HKEY_LOCAL_MACHINESoftwareMirabilisICQDefaultPrefs]

It will attempt to place copies of itself under the next names:

Virus Creation ToolKit-VX v7.1_create virii with this tool,Klez.H and Sircam has been created with version 6.exe
WebAttack-DoS Tool.exe
FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
Yahoo Remote Password Cracker Deluxe 2003.exe
AIM Remote Password Cracker.exe
Hotmail Exploiter 2003.exe
XNuker 2003.exe
Ultimate HackProg.exe
Msn Messenger Remote Password Cracker 2003.exe
Netbios hacker.exe
Chaos Ip Spoof 2003.exe

in the download folder of Kazaa, and in the next folders:

C:Program FilesMorpheusMy Shared Folder
C:Program FilesBearshareShared
C:Program FilesEdonkey2000Incoming

Mirc spreading: it drops script.ini file in Mirc folder and attemtps to send Magical-Screensaver.scr to all users in the current channel. It finds Mirc folder by following the registry key

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallmIRC]

It has a payload, triggered on Monday on Wednesdays, by dropping two text files, "CyberWolf.txt" and "Windows.l0g" in Windows folder, containing messages from the author of the worm and if the day of the month is 30 it attempts to open 999,999 instances of Internet Explorer.

After each infection, the internet worm will send the next e-mail to some AV companies:
Subject:
Hi,i'm 100% sure i'm infected!

Body:
mmm...if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm. For every infection this worm does,you'll receive an email like this. It has never been my intention to cause your mailbox any harm,nor mailbomb it. Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number...
and will attempt to open several internet pages in the default internet browser.
The infected e-mails look like this (bodies of the e-mails are not shown):

From: "Lovergirl@yahoo.com"
Subject: "Fwd:Fwd:Fwd:Watch out for SARS!"
Attachment: "SARS-Guide.scr"
-------------------------------------------------
From: "Webmaster@planet-source-code.com"
Subject: "Api Hooking Tutorial..."
Attachment: "Api Hooking-Tutorial.exe"
-------------------------------------------------
From: "Support@microsoft.com"
Subject: "Windows Hotfix!"
Attachment "Q30215HOTFIX.pif"
-------------------------------------------------
From: "SecurityResponse@symantec.com"
Subject: "Warning from Symantec.com"
Attachment: "FixSql.com"
-------------------------------------------------
From: "Admin@hackers.com"
Subject: "u wanted to hack?"
Attachment: "Hotmail Hacker.exe"
-------------------------------------------------
From: "Lovergirl963@hotmail.com"
Subject: "Do you remember last summer?"
Attachment: "Last Summer.scr"
-------------------------------------------------
From: "Lovergirl33@hotmail.com"
Subject: "Fwd:Fwd:Fwd:Sit back and be surprised..."
Attachment: "Magical-Screensaver.scr"
-------------------------------------------------
From: "Admin@screensavers.com"
Subject: "The Magical screensaver"
Attchment: "Magical-Screensaver.scr"
-------------------------------------------------
From: "Webmaster@Loveforlife.com"
Subject: "Feel the reason why we fall in love..."
Attachment: "Love.scr"
-------------------------------------------------
From: "Webmaster@Outwar.com"
Subject: "Outwar is proud to present you:Outwar InterActive"
Attachment: "OutWar Demo.exe"
-------------------------------------------------
From: "Soccerfan@yahoo.com"
Subject: "Fwd:Fwd:Fwd:Soccer..."
Attachment: "Soccer Database.exe"
-------------------------------------------------
From: "Webmaster@beautifulgirls"
Subject: "Christina Aguilera:The most beautiful girl on earth"
Attachment: "Christina Aguilera-The most beautiful girl on earth.scr"
-------------------------------------------------
From: "webmaster@screensavers.com"
Subject: "Saddam alive and kickin'"
Attachment: "Saddam-the real pics.scr"
-------------------------------------------------
From: "Admin@jokes.com"
Subject: "The Virtual Joke..."
Attachment: "Virtual Joke.scr"
-------------------------------------------------
From: "flipbabe@hotmail.com"
Subject: "Fwd:Fwd:Whats really happening in bagdad"
Attachment: "Saddam-the real pics.scr"
-------------------------------------------------
From: "mailinglist@Msn.com"
Subject: "Get the new Msn 5.1!"
Attachment: "MsnMsgs.exe"
-------------------------------------------------
From: "nice_girl21@hotmail.com"
Subject: "Fwd:How to protect yourself against SARS"
Attachemnt: "SARS-Guide.scr"

Last update 21 November 2011

 

TOP