Description
Win32.HLLM.Cyclone.3 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. It is written in high-level programming language MS Visual Basic and is packed with PeTite compression utility.
The size of the program module of the worm, packed, is 18, 696 bytes.
The worm spreads via e-mail using its own SMTP engine. It can also spread through KaZaA.
The worm overwrites host files thus blocking the access of the infected computer user to web-sites of antivrius vendors.
Launching
To secure its automatic execution at every Windows startup the worm adds the value
\\\"Monitoring Service\\\"=\\\"%WinDir%\\\\Tasks\\\\svchost.exe\\\"
to the registry entries
Spreading
The worm spreads v-a e-mail, using its own SMTP engine. It harvests addresses for dissemination in files with .mbx, .wab, .html, .eml, .htm, .asp, .shtml, .txt and .dbx extensions it finds in the following folders:
%Internet Cache%
%My Documents%
%Application Data%\\\\microsoft\\\\address book\\\\
%Application Data%\\\\Mozilla\\\\Profiles\\\\default\\\\
%Application Data%\\\\Identities\\\\
The mail message infected with the worm may look as follows.
Subject:
How cute is your credit card number!! :))
E-mail account disabling warning for %s
RE: %s
i have your password :)
RE: Thank You!
RE: details (%s)
Password Reset For %s
Undelivered Mail Returned to Sender (%s)
about you
Your account (%s) will be closed
Your IP has been logged
Mail Delivery System (%s)
Mail Transaction Failed (%s)
IMPORTANT %s!
Confidential user information!
Attachment:
document
information.scr
hello.exe
hello.scr
text.txt.exe
untitled.exe
secret!!.exe
unknown1.exe
CoolText.exe
EULA-USA.exe
secret!!
password
readmeUS
hello***txt
The attachment extension can be.bat, .exe., .pif or .src.
KaZaA propagation
the worm queries the registry key HKEY_LOCAL_MACHINE\\\\Software\\\\Kazaa\\\\LocalContent \\\"DownloadDir\\\"
for KaZaA shared folder and copies itself there as follows:
Playboy Screensaver Dec 2003.scr
Strip Girls-part%*.scr
Sky lopez - Screensaver.scr
Winamp5.01.exe
where * is a random digit.
Action
In order to avoid repeated infections, the worm creates a mutex \\\"%s!!!Bugs-Fixed!\\\" , where %s is a computer name. It copies itself as svchost.exe to the Windows\\\\Tasks folder.
One more copy WebCheck.pif the worm drops to the Startup folder in Documents and Settings.
Several more files are placed to the Windows\\\\System32folder:
01CHECK.DLL 01EML.DLL 01ENEL.DLL 01SEML.DLL 01URL.DLL 01VIS.DLLThe worm searches the files eula.txt, copies it to %temp%\\\\doc amd displays with Notepad.
The worm overwrites host file (in Windows NT/2000/XP it’s %SysDir%\\\\drivers\\\\etc\\\\hosts), thus blocking access to antivirus vendors’ web-sites:
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
microsoft.com
www.microsoft.com
support.microsoft.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
the worm creates file Cyclone.v0.00002.htm in the Windows folder. The file contains the following text:
We need freedom in iran
We don\\\'t want islamic republic
