I-Worm.Win32.Kickin.249856
| Aliases | W32/Kickin,WORM_CYDOG.C,I-Worm.Cydog.c | ||
|---|---|---|---|
| Typical Symptoms | Changes registry,Sends email,Creates file,Process shuts down,Changes Homepage address | ||
| Discovered | [korea] 0000-00-00 [Foreign] 2003-05-01 |
||
| Type | I-Worm | ActiveField | Win32 |
| Destory/Distribution |   |
||
| Origin | others | Encryption | NO |
| Location | None | Memory residence | NO |
| Scan engine needed |
2003-05-12 [Able to detect & repair]
|
||
I-Worm.Win32.Kickin.249856, found on 1 May 2003, has various propagating paths such as E-mail, P2P, IRC, and etcetera. 1. The worm terminates the following processes: - ALERTSVC - AMON.EXE - ANTI-TROJAN - ATRACK - AVCONSOL - AVP.EXE - AVP32 - AVPCC.EXE - AVPM.EXE - AVSYNMGR - BLACKICE - CCAPP.EXE - CFINET - CFINET32 - CLEANER - COMMAND - ESAFE.EXE - F-PROT - FP-WIN - FRW.EXE - F-STOPW - IAMAPP - IAMSERV.EXE - ICMON - IOMON98 - LOCKDOWN2000 - LOCKDOWNADVANCED - LUALL.EXE - LUCOMSERVER - MCAFEE - MSCONFIG - NAVAPSVC - NAVAPW32 - NAVLU32 - NAVRUNR - NAVW32 - NAVWNT - NETSERVICES - NISSERV - NMAIN.EXE - NPROTECT - NSCHED32 - NVC95 - PCCIOMON - PCCMAIN - PCCWIN98 - PCFWALLICON - POP3TRAP - PVIEW.EXE - RAVMOND - REGEDIT - RESCUE32 - SAFEWEB - SCAN32 - SPHINX.EXE - SYMPROXYSVC - SYSHELP - TASKMGR - TDS2-NT - VETTRAY - VSECOMR - VSHWIN32 - VSMON.EXE - VSSTAT - WEBSCANX - WEBTRAP - WINDRIVER - WINGATE - WINHELP - WINRPC - ZAPRO.EXE - ZONEALARM * These are mostly processes of security programs (some processes have been targeted by other worms). 2. The worm drops "cyberwolf.txt" into the Windows folder. 3. The worm attempts to connect to the following URL: www.india-------kes.cjb.net www.brai------ck.com www.christ-------guilera.com 4. The worm attempts to change Browser's home page to the following website on every Monday. www.catholi-------as.org/superfuntime/ I-Worm.Win32.Kickin.249856, found on 1 May 2003, has various propagating paths such as E-mail, P2P, IRC, and etcetera. [File placed by the worm] 1. Upon execution, the worm places copies of itself into the following location. (Windows folder)CyberWolf.exe (System folder)Kernel32.exe (System folder)Api Hooking-Tutorial.exe (System folder)Q30215HOTFIX.pif (System folder)FixSql.com (System folder)Hotmail Hacker.exe (System folder)Last Summer.scr (System folder)Magical-Screensaver.scr (System folder)Love.scr (System folder)OutWar Demo.exe (System folder)Soccer Database.exe (System folder)Christina Aguilera-The most beautiful girl on earth.scr (System folder)Saddam-the real pics.scr (System folder)Virtual Joke.scr (System folder)Setup.exe (System folder)MsnMsgs.exe (System folder)SARS-Guide.scr (System folder)format.com (System folder)mapi32.drv 2. The worm adds its entries in the registry to ensure its automatic execution at every Windows startup or whenever an .EXE file is executed. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Name : CyberWolf Data : (Windows folder)CyberWolf.exe - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Name : Windows Kernel Data : (System folder)Kernel32.exe - HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon Name : System Data : (System folder)Kernel32.exe - HKEY_CLASSES_ROOTexefileshellopencommand Name : Default Data : (System folder)Kernel32.exe"%1"%* How it spread * Propagation via email To spread via email, it gathers addresses from the following: - .NET massenger - MSN massenger - Yahoo massenger - ICQ address book - Windows address book - File with extension of *HT* (HTM or HTML file) or *ML(EML)file To send out emails, the worm uses the SMTP server configured in the infected system or a randomly selected SMTP server. Various mail formats are shown below: [Type 1] Sender : SecurityResponse@symantec.com Subject : Warning from Symantec.com File attachment : FixSql.com [Type 2] Sender : Lovergirl963@hotmail.com Subject : Do you remember last summer? File attachment : Last Summer.scr [Type 3] Sender : Lovergirl@yahoo.com Subject : Fwd:Fwd:Fwd:Watch out for SARS! File attachment : SARS-Guide.scr [Type 4] Sender : Webmaster@planet-source-code.com Subject : Api Hooking Tutorial... File attachment : Api Hooking-Tutorial.exe [Type 5] Sender : Support@microsoft.com File attachment : Q30215HOTFIX.pif [Type 6] Sender : Lovergirl33@hotmail.com Subject : Fwd:Fwd:Fwd:Sit back and be surprised... File attachment : Magical-Screensaver.scr [Type 7] Sender : Webmaster@Loinveforlife.com Subject : Feel the reason why we fall in love... File attachment : Love.scr [Type 8] Subject : The Virtual Joke... File attachment : Virtual Joke.scr [Type 9] Sender : flipbabe@hotmail.com Subject : Fwd:Fwd:Whats really happening in bagdad File attachment : Saddam-the real pics.scr [Type 10] Sender : mailinglist@Msn.com Subject : Get the new Msn 5.1! File attachment : MsnMsgs.exe [Type 11] Sender : Webmaster@Outwar.com Subject : Outwar is proud to present you:Outwar InterActive File attachment : OutWar Demo.exe [Type 12] Sender : Soccerfan@yahoo.com Subject : Fwd:Fwd:Fwd:Soccer... File attachment : Soccer Database.exe [Type 13] Sender : Webmaster@beautifulgirls File attachment : Christina Aguilera-The most beautiful girl on earth.scr [Type 14] Sender : webmaster@screensavers.com Subject : Saddam alive and kickin' File attachment : Saddam-the real pics.scr [Type 15] Sender : nice_girl21@hotmail.com Subject : Fwd:How to protect yourself against SARS File attachment : SARS-Guide.scr All file attachment is 249,856 bytes. *Propagation via P2P The worm creates multiple copies of itself (random names) and places these files in the victim computer's dedicated P2P file-sharing folder (if the directory exists). By doing so, the worm makes itself available to all other network users. The file name created by Kazaa sharing folder is shown below: - Chaos Ip Spoof 2003.exe - Netbios hacker.exe - Msn Messenger Remote Password Cracker.exe - Ultimate HackProg.exe - XNuker 2003.exe - Hotmail Exploiter 2003.exe The file name created by eDonkey2000 sharing folder is shown below: - Chaos Ip Spoof 2003.exe - Msn Messenger Remote Password Cracker.exe - Netbios hacker.exe - WebAttack-Dos Tool.exe - Yahoo Remote Password Cracker Deluxe 2003.exe They are basically the same worm files with the file name changed. Infection symptoms 1. The worm terminates the following processes: - ALERTSVC - AMON.EXE - ANTI-TROJAN - ATRACK - AVCONSOL - AVP.EXE - AVP32 - AVPCC.EXE - AVPM.EXE - AVSYNMGR - BLACKICE - CCAPP.EXE - CFINET - CFINET32 - CLEANER - COMMAND - ESAFE.EXE - F-PROT - FP-WIN - FRW.EXE - F-STOPW - IAMAPP - IAMSERV.EXE - ICMON - IOMON98 - LOCKDOWN2000 - LOCKDOWNADVANCED - LUALL.EXE - LUCOMSERVER - MCAFEE - MSCONFIG - NAVAPSVC - NAVAPW32 - NAVLU32 - NAVRUNR - NAVW32 - NAVWNT - NETSERVICES - NISSERV - NMAIN.EXE - NPROTECT - NSCHED32 - NVC95 - PCCIOMON - PCCMAIN - PCCWIN98 - PCFWALLICON - POP3TRAP - PVIEW.EXE - RAVMOND - REGEDIT - RESCUE32 - SAFEWEB - SCAN32 - SPHINX.EXE - SYMPROXYSVC - SYSHELP - TASKMGR - TDS2-NT - VETTRAY - VSECOMR - VSHWIN32 - VSMON.EXE - VSSTAT - WEBSCANX - WEBTRAP - WINDRIVER - WINGATE - WINHELP - WINRPC - ZAPRO.EXE - ZONEALARM * These are mostly processes of antivirus programs (some processes have been targeted by other worms). 2. The worm drops "cyberwolf.txt" into the Windows folder. 3. The worm attempts to connect to the following URL: www.india-------kes.cjb.net www.brai------ck.com www.christ-------guilera.com 4. The worm attempts to change Browser's home page to the following website on every Monday. www.catholi-------as.org/superfuntime/ |
How to repair Download ViRobot latest definitions file of May 12, 2003 or above to detect/repair (file removals). |
