マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Win32.HLLM.Cyclone.3

(Email-Worm.Win32.Cone.b, W32.Cone.C@mm, W32/Cone.c@MM, System error, Win32.Cone.C@mm, Win32.Worm.Cone.b, Win32/Cone.C@mm, Parser error, I-Worm/Cone.B, WORM_CONE.C, Win32/Conec.C!Worm)

Added to the Dr.Web virus database: 2005-04-22

Virus description added:

Description

Win32.HLLM.Cyclone.3 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. It is written in high-level programming language MS Visual Basic and is packed with PeTite compression utility.
The size of the program module of the worm, packed, is 18, 696 bytes.
The worm spreads via e-mail using its own SMTP engine. It can also spread through KaZaA.
The worm overwrites host files thus blocking the access of the infected computer user to web-sites of antivrius vendors.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
\\\"Monitoring Service\\\"=\\\"%WinDir%\\\\Tasks\\\\svchost.exe\\\"
to the registry entries

  • HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run
  • HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run

Spreading

The worm spreads v-a e-mail, using its own SMTP engine. It harvests addresses for dissemination in files with .mbx, .wab, .html, .eml, .htm, .asp, .shtml, .txt and .dbx extensions it finds in the following folders:

            %Internet Cache%
            %My Documents%
            %Application Data%\\\\microsoft\\\\address book\\\\
            %Application Data%\\\\Mozilla\\\\Profiles\\\\default\\\\
            %Application Data%\\\\Identities\\\\
            
                    
The mail message infected with the worm may look as follows.

Subject:

  How cute is your credit card number!! :)) 
  E-mail account disabling warning for %s 
  RE: %s 
  i have your password :) 
  RE: Thank You! 
  RE: details (%s) 
  Password Reset For %s 
  Undelivered Mail Returned to Sender (%s) 
  about you 
  Your account (%s) will be closed 
  Your IP has been logged 
  Mail Delivery System (%s) 
  Mail Transaction Failed (%s) 
  IMPORTANT %s! 
  Confidential user information! 
  
         
Attachment:
  document
  information.scr 
  hello.exe 
  hello.scr 
  text.txt.exe 
  untitled.exe 
  secret!!.exe 
  unknown1.exe 
  CoolText.exe 
  EULA-USA.exe 
  secret!!
  password
   readmeUS
  hello***txt
         
The attachment extension can be.bat, .exe., .pif or .src.

KaZaA propagation
the worm queries the registry key HKEY_LOCAL_MACHINE\\\\Software\\\\Kazaa\\\\LocalContent \\\"DownloadDir\\\"
for KaZaA shared folder and copies itself there as follows:

  
         Playboy Screensaver Dec 2003.scr 
         Strip Girls-part%*.scr 
         Sky lopez - Screensaver.scr 
         Winamp5.01.exe
            
where * is a random digit.

Action

In order to avoid repeated infections, the worm creates a mutex \\\"%s!!!Bugs-Fixed!\\\" , where %s is a computer name. It copies itself as svchost.exe to the Windows\\\\Tasks folder.

One more copy WebCheck.pif the worm drops to the Startup folder in Documents and Settings.

Several more files are placed to the Windows\\\\System32folder:

  01CHECK.DLL 
  01EML.DLL 
  01ENEL.DLL 
  01SEML.DLL 
  01URL.DLL 
  01VIS.DLL 
  
The worm searches the files eula.txt, copies it to %temp%\\\\doc amd displays with Notepad.

The worm overwrites host file (in Windows NT/2000/XP it’s %SysDir%\\\\drivers\\\\etc\\\\hosts), thus blocking access to antivirus vendors’ web-sites:

         www.symantec.com 
         securityresponse.symantec.com 
         symantec.com 
         www.sophos.com 
         sophos.com 
         www.mcafee.com 
         mcafee.com 
         liveupdate.symantecliveupdate.com 
         www.viruslist.com 
         viruslist.com 
         f-secure.com 
         www.f-secure.com 
         kaspersky.com 
         www.avp.com 
         www.kaspersky.com 
         avp.com 
         www.networkassociates.com 
         networkassociates.com 
         www.ca.com 
         ca.com 
         mast.mcafee.com 
         my-etrust.com 
         www.my-etrust.com 
         download.mcafee.com 
         dispatch.mcafee.com 
         secure.nai.com 
         nai.com 
         www.nai.com 
         microsoft.com 
         www.microsoft.com 
         support.microsoft.com 
         update.symantec.com 
         updates.symantec.com 
         us.mcafee.com 
         liveupdate.symantec.com 
         customer.symantec.com 
         rads.mcafee.com 
         trendmicro.com 
         www.trendmicro.com 
         
            
the worm creates file Cyclone.v0.00002.htm in the Windows folder. The file contains the following text:
            We need freedom in iran
          
         We don\\\'t want islamic republic