McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This worm propagates by mass-mailing itself and sharing itself over peer-to-peer file-sharing networks. It is written in Visual Basic. It was detected as "New P2P Worm" with heuristic detection enabled (that requires 4240 engine). When run, it copies itself to Windows system directory as the following files:

• CyberWolf.exe
• explorer.exe
• Kernell32.exe
• Ms-Dos.com
• regedit32.exe
• service.exe
• system.exe
• system32.exe
• systems.exe
• Windows.scr

It searches for the installations of certain Peer-to-peer network shares and creates copies in the shared folders. The affected shares are:

• KaZaa\My shared Folder\
• Bearshare\Shared\
• Grokster\My Grokster\
• Morpheus\My Shared Folder\
• eDonkey2000\Incoming\
• limewire\Shared\

The worm also creates lots of copies in the Windows system directory. The file names are randomly generated, such as "Ad25lzg25de25r2322.dsi", "Ad28lzg28de28r2841.exe"...

The worm creates the following registry keys in order to run at Windows start up:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "CyberWolf"="C:\WINDOWS\CyberWolf.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "dllhost"="C:\WINDOWS\SYSTEM\dllhost.exe "
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Windows Installer Service"="C:\WINDOWS\SYSTEM\msiexec.exe "
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Windows Kernell"="C:\WINDOWS\SYSTEM\Kernell32.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Windows Systems Service"="C:\WINDOWS\SYSTEM\service.exe "

The following Registry key is modified to hook the execution of exe files:

• HKEY_CLASSES_ROOT\exefile\shell\open\command
  (Default) = "C:\WINDOWS\CyberWolf.exe%1 %* "

The worm next displays the following fake error message box:

After the "OK" button is clicked, the worm sends itself to all the recipients in Outlook Global Address List and Outlook Contact List. The email has the following characteristics:

Subject: One of the following

• w32/CyberWolf@mm is the newest virus...
• PacketStorm:WINDOWS Xp has several exploits
• A Virtual joke...the funniest around!
• A kiss from me to you

Attachment:

• CyberWolf-Patch.exe.
• Windows Xp Exploit.exe
• The CyberWolf-Joke.scr
• My Kiss for you.scr

The email body varies corresponding to the subject line.

The worm may drop and execute a destructive batch file (C:\CYBERWOLF.BAT, 108 bytes) on the victim machine (observed on Windows 98 in testing). This batch file attempts to delete *.EXE and *.DLL files recursively (in quite mode, forcing deletion of read-only files). The batch file is detected as W32/Chowl.bat with the specified DATs.

The worm queries for various virus scanning processes from the Windows and attempts to terminate these processes. It also creates a text file and a link to the file on the desktop. The text file contains messages from the virus writer.

The worm launches multiple instances of itself into memory eventually causing the operation system to crash.

Symptoms

Existence of the files and registry keys mentioned above.

Method of Infection

The worm spread itself via Outlook mailing and peer-to-peer file sharing.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This worm propagates by mass-mailing itself and sharing itself over peer-to-peer file-sharing networks. It is written in Visual Basic. It was detected as "New P2P Worm" with heuristic detection enabled (that requires 4240 engine). When run, it copies itself to Windows system directory as the following files:

• CyberWolf.exe
• explorer.exe
• Kernell32.exe
• Ms-Dos.com
• regedit32.exe
• service.exe
• system.exe
• system32.exe
• systems.exe
• Windows.scr

It searches for the installations of certain Peer-to-peer network shares and creates copies in the shared folders. The affected shares are:

• KaZaa\My shared Folder\
• Bearshare\Shared\
• Grokster\My Grokster\
• Morpheus\My Shared Folder\
• eDonkey2000\Incoming\
• limewire\Shared\

The worm also creates lots of copies in the Windows system directory. The file names are randomly generated, such as "Ad25lzg25de25r2322.dsi", "Ad28lzg28de28r2841.exe"...

The worm creates the following registry keys in order to run at Windows start up:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "CyberWolf"="C:\WINDOWS\CyberWolf.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "dllhost"="C:\WINDOWS\SYSTEM\dllhost.exe "
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Windows Installer Service"="C:\WINDOWS\SYSTEM\msiexec.exe "
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Windows Kernell"="C:\WINDOWS\SYSTEM\Kernell32.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Windows Systems Service"="C:\WINDOWS\SYSTEM\service.exe "

The following Registry key is modified to hook the execution of exe files:

• HKEY_CLASSES_ROOT\exefile\shell\open\command
  (Default) = "C:\WINDOWS\CyberWolf.exe%1 %* "

The worm next displays the following fake error message box:

After the "OK" button is clicked, the worm sends itself to all the recipients in Outlook Global Address List and Outlook Contact List. The email has the following characteristics:

Subject: One of the following

• w32/CyberWolf@mm is the newest virus...
• PacketStorm:WINDOWS Xp has several exploits
• A Virtual joke...the funniest around!
• A kiss from me to you

Attachment:

• CyberWolf-Patch.exe.
• Windows Xp Exploit.exe
• The CyberWolf-Joke.scr
• My Kiss for you.scr

The email body varies corresponding to the subject line.

The worm may drop and execute a destructive batch file (C:\CYBERWOLF.BAT, 108 bytes) on the victim machine (observed on Windows 98 in testing). This batch file attempts to delete *.EXE and *.DLL files recursively (in quite mode, forcing deletion of read-only files). The batch file is detected as W32/Chowl.bat with the specified DATs.

The worm queries for various virus scanning processes from the Windows and attempts to terminate these processes. It also creates a text file and a link to the file on the desktop. The text file contains messages from the virus writer.

The worm launches multiple instances of itself into memory eventually causing the operation system to crash.

Symptoms

Symptoms -

Existence of the files and registry keys mentioned above.

Method of Infection

Method of Infection -

The worm spread itself via Outlook mailing and peer-to-peer file sharing.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A