|
W32/Cydog@mm, W32/Cyberwolf@mm, I-worm.cydog@mm
Cydog es un gusano destructivo, variante mejorada del Chowl, reportado el 28 de Febrero del 2003, de propagación masiva, a través de las populares redes Peer to Peer Kazaa, BearShare, eDonkey, Morpheus, Grokster y LimeWire, además en mensajes de correo con diversos formatos de Asuntos, Contenidos y archivos anexados con extensiones .EXE o .SCR elegidos en forma aleatoria.
La muestra obtenida fue enviada desde España (+1 GMT)
Termina los procesos de los antivirus, firewalls y software de monitoreo que se encuentren instalados en el sistema infectado, borra archivos de diversas extensiones, cambia parámetros de mouse y teclado, entre otros estragos y finalmente se auto-ejecuta en memoria infinitamente (loop) hasta lograr colapsar el sistema.
Es un PE (Portable Ejecutable) e infecta Windows 95/98/NT/Me/2000/XP, incluyendo los servidores NT/2000/XP
Está desarrollado en Visual Basic, con una extensión de 34 KB y comprimido con el utilitario UPX (Ultimate Packer for eXecutables):
Haciendo uso de las funciones de las librerías MAPI (Messaging Application Programming Interface) se auto-envía a todos los buzones de correo de la Libreta de Direcciones de MS Outlook.
Al ejecutar el archivo anexado, el gusano
intenta ubicar la carpeta de descarga del software Kazaa del valor DownloadDir
de la llave de registro:
[HKEY_CURRENT_USER\Software\Kazaa\LocalContent]
Luego crea la carpeta \DownloadDir\Windows Security Haches
El valor DownloadDir puede ser variable e indica la ruta de los archivos descargados de Kazaa.
Crea además un recurso compartido para la carpeta recién creada, agregando los siguientes valores a la llave de registro:
[HKEY_CURRENT_USER\Software\Kazaa\LocalContent]
"Dir0" = "012345: [DownloadDir]\Windows Security Haches"
"DisableSharing " = 0
Luego se auto-copia a diversas carpetas con los siguientes nombres:
%System%\Cyberwolf.exe
%System%\Rundll32.exe
%System%\System\Explorer.exe
%System%\System\System.exe
%System%\Kernell32.exe
%System%\System32.exe
%System%\Systems.exe
%System%\Service.exe
%System%\Regedit32.exe
%System%\Cyberwolf.exe
%System%\Windows.Scr
%System%\Ms-Dos.Com
%Temp%\Windows Media Player Plugin.exe
[DownloadDir]\Windows Security Haches\Visual Basic 6.0 Msdn Plugin.exe
[DownloadDir]\Windows Security Haches\Hotmail Hacker 2003-Xss Exploit.exe
[DownloadDir]\Windows Security Haches\Netbios Nuker 2003.exe
[DownloadDir]\Windows Security Haches\Winrar 3.Xx Password Cracker.exe
[DownloadDir]\Windows Security Haches\Microsoft Keygenerator-Allmost All Microsoft Stuff.exe
[DownloadDir]\Windows Security Haches\W32.Cyberwolf@Mm Fix.exe
[DownloadDir]\Windows Security Haches\Kazaa SDK + Xbit Speedup For 2.Xx.exe
[DownloadDir]\Windows Security Haches\Winzipped Visual C++ Tutorial.exe
[DownloadDir]\Windows Security Haches\Xnuker 2003 2.93b.exe
[DownloadDir]\Windows Security Haches\Edonkey2000-Speed Me Up Scotty.exe
[DownloadDir]\Windows Security Haches\Imesh SDK+Xbit Speed Up.exe
[DownloadDir]\Windows Security Haches\Popup Remover 9.25.exe
[DownloadDir]\Windows Security Haches\Credit Card Numbers Generator(Incl
Visa,Mastercard,...).exe
[DownloadDir]\Windows Security Haches\EA Games Keygen For All Versions(Only EA).exe
[DownloadDir]\Windows Security Haches\Free Mem-Games-Speedup.exe
[DownloadDir]\Windows Security Haches\Security-2003-Update.exe
[DownloadDir]\Windows Security Haches\Stripping MP3 Dancer+Crack.exe
[DownloadDir]\Windows Security Haches\Crackologic(All Windows Apps).exe
[DownloadDir]\Windows Security Haches\The Cyberwolf-Joke.Scr
[DownloadDir]\Windows Security Haches\My Kiss For You.Scr
[DownloadDir]\Windows Security Haches\Windows Xp Exploit.exe
[DownloadDir]\Windows Security Haches\Cyberwolf-Patch.exe
C:\Archivos de programa\Edonkey2000\Incoming\Edonkey2000-Ad Remover.exe
C:\Archivos de programa\Edonkey2000\Incoming\Hotmail Hacker 2003-Xss Exploit.exe
C:\Archivos de programa\Edonkey2000\Incoming\Netbios Nuker 2003.exe
C:\Archivos de programa\Edonkey2000\Incoming\Winrar3.Xx Password Cracker.exe
C:\Archivos de programa\Edonkey2000\Incoming\EA Games Keygen For All Versions(Only EA).exe
C:\Archivos de programa\Bearshare\Shared\Hotmail Hacker 2003-Xss Exploit.exe
C:\Archivos de programa\Bearshare\Shared\Bearshare<Pro 4.3.1 Beta Version.exe
C:\Archivos de programa\Bearshare\Shared\Xnuker 2003 2.93b.exe
C:\Archivos de programa\Bearshare\Shared\Chaos Ip 2003-Xp Compitable.exe
C:\Archivos de programa\Bearshare\Shared\Netbios Nuker 2003.exe
C:\Archivos de programa\Grokster\My Grokster\Grokster Ad-Remover.exe
C:\Archivos de programa\Grokster\My Grokster\Stripping Mp3 Dancer+Crack.exe
C:\Archivos de programa\Grokster\My Grokster\Trojan Utility 5.6.exe
C:\Archivos de programa\Grokster\My Grokster\Winrar 3.Xx Password Cracker.exe
C:\Archivos de programa\Grokster\My Grokster\Netscan 1.6.exe
C:\Archivos de programa\Grokster\My Grokster\Xss Security Exploit-Hotmail.exe
C:\Archivos de programa\Morpheus\My Shared Folder\Morpheus-Gold.exe
C:\Archivos de programa\Morpheus\My Shared Folder\Webseek-Mp3.exe
C:\Archivos de programa\Morpheus\My Shared Folder\Chaos Ip.exe
C:\Archivos de programa\Morpheus\My Shared Folder\Netbios Exploiter Xp.exe
C:\Archivos de programa\Limewire\Shared\Credit Card Generator
C:\Archivos de programa\Limewire\Shared\Crackologic(All Windows Apps).exe
C:\Archivos de programa\Limewire\Shared\Lunix-Download.exe
%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP.
Para ejecutarse la próxima vez que se inicie el sistema crea la siguiente llave de registro:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CyberWolf" = "CyberWolf.exe"
"Windows Systems Service" = "%System%\Kernell32.exe"
"Windows Kernell" = "%System%\Dllhost.exe"
"Dllhost" = "%System%\msiexec.exe"
"Windows Installer Service" = "%System%\CyberWolf.exe"
Seguidamente crea la llave de registro:
[HKEY_CURRENT_USER\Software\Microsoft\CyberWolf]
"CyberWolf" = "You are Biten"
Luego borra todos los archivos que se encuentren dentro de las siguientes rutas:
Del mimo modo borra todos los archivos con extensión .exe, .dll, .ocx, e .ini
Haciendo uso del objeto WMI (Windows Management Instrumentation) intenta terminar los procesos de los siguientes antivirus, firewalls, software de control o programas de monitoreo que se encuentren instalados:
Muestra una caja de diálogo con el siguiente mensaje:
Haciendo uso de las funciones de las librerías MAPI (Messaging Application Programming Interface) se auto-envía a todos los buzones de correo de la Libreta de Direcciones de MS Outlook con diversos formatos que contienen Asuntos, Contenidos y archivos Anexados en forma aleatoria:
Formato 1
Asunto: EA and EIDOS Presents...
Contenido:
Dear client
Some information about our long-awaited product: CyberWolf
CyberWolf is the newest product of Electronic Arts and Eidos Interactive!
Its a complete new technology which actualy speeds up you're processor time needed to play game of EA and EIDOS
Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the other games produced by these companies!
The technology behind these new product is something that clear's excisting ram when playing this game--->Results:
The speed and graphical abilities are increased by 35%,so loading a new game wile go 35% faster!So more gameplay,less waiting and looking at that um screen!
But it will take sometime for EA and EIDOS to alert all peoples who has EA and EIDOS games,but...
They decided to mail the CyberWolf-Patch to users who have games from EA and EIDOS and to people who visited the website within the past 18 months!
also they decided to mail this patch to workers in companies and to other people who are using the internet regulary
If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then just install the attachment,restart you're pc and start playing games or...
wait until you buy a EA or EIDOS game,and enjoy it then!the choice is yours!
Before i forget:This patch seems to work on other games as well,it speeds up those games by 15-30% depending on the game!
----------------------------------------------
This email is provided to you by PacketStorm,please enjoy our services
This product may NOT be soled or copied!It may only be used by the intended recipient and this only for the purpose for which it has been sent
If you are not the intended recipient,then please contact EA or EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this e-mail and attachement
We believe and warrant that this e-mail and any attachments, are virus free,we take full responsibility about this attachment
CyberWolf
For more information please contact us at EE-CyberWolf.patch@EA-EIDOS.com or suft to www.EA.com/project\cyberwolf.htm and ww.eidos.com\cyberwolf.asp
E-mail provided to you by Elena (Elena@EA-EIDOS.com)l
Anexado: CyberWolf-Patch.exe
Formato 2
Asunto: PacketStorm:WINDOWS Xp has several exploits
Contenido:
According to the redaction of PacketStorm
Windows Xp has several exploits which could not be removed because
if the do want to delete it then they should rewrite Kernell!
but this would mean rewriting everything Micrsoft had build up over the last years'
Bill Gates from microsoft reported that there is no exploit at all!,it was just a joke from a hacker
attending to scar off windows XP users
However the word goes around that allready several users and admins have been hacked by an mysterious hacker
nicknamed 'The CyberWolf'
if you want more information about this exploit and the exploit itself,then open the included e-mail
do not forget to vote for PacktStorm when running the attachment,Enjoy the rest of our services
This email is provided to you by PacketStorm,please enjoy our services
Anexado: Windows Xp Exploit.exe
Formato
3
Asunto: A Virtual joke...the funniest around!
Contenido:
hi
have you heard about the CyberWolf-Joke?
its soooo funny you 'll laugh yourself a bunch when you see and hear the joke
haha those little bastards on your screen are soooo funny:D:D
just download and open the attached screensaver (The CyberWolf-Joke.scr = this is actually the joke) and look at it
funny hu!!!
after you have run the joke click ctrl+shift+p to see who made it.
I hope you have fun with it
greeetttzzz
***************************************************
This e-mail is presented to you by Joking-Soft,a division of MicroSoft.
If you have any problems with this e-mail or attachment then please contact us.
We take full responsability for this e-mail and attachements.
They are virusfree and are property of Joking-Soft
Please do not Sell or Distribute these atachments.
I thank you
Anexado: The CyberWolf-Joke.scr
Formato 4
Asunto: A kiss from me to you...
Contenido:
Dear User
Someone has dropped a kiss in you're mailbox!
Check-Out the attached Kiss from the anonymous person,probably a secret lover or a very good friend
After you have been kissed please visit www.internetkiss.com and send this kiss to all the person who you adore or just like
You are Nr.315723625 who has received this Internet-Kiss.
This Internet-Kiss-Letter is started on 13/01/1997 and hopes to continue until 13/01/2007.
Anexado: My Kiss for you.scr
Una vez enviados los mensajes el gusano genera una llave de registro que le sirve como marcador:
[HKEY_CURRENT_USER\Software\Mail-The-Bastards]
"CyberWolf" = "They are emailed"
Sus payloads son los siguientes:
PER ANTIVIRUS® versión 7.9 con registro de virus al 28 de Febrero del 2003 detecta y elimina eficientemente este gusano.
Nota: existe una diferencia de 6 horas entre Perú (-5 GMT) y España (+1 GMT)
