McAfee > Theat Center > Virus Detail Page

Overview

MSH/Cibyz!p2p is a proof of concept worm written in Windows Powershell script. It attempts to spread via the popular peer to peer application KaZaa by dropping a copy of itself in its shared folders.

Note: Windows Powershell is a command line shell and scripting language for Microsoft Windows that runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn.

Aliases

• MSH.Czybroks!int (Symantec)

• P2P-Worm.MSH.Skowor.a (Kaspersky)

• WORM_KIBYZ.A (Trend Micro)

Characteristics

Upon execution it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\sk0rCzybik.msh

Modifies the following registry keys so that a user cannot view hidden files and file extensions.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = "0"
HideFileExt = "1"

Changes the default registered user and organization name via the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization = "Infected Poly"
RegisteredOwner = "sk0rCzybik"

Modifies the default window title for Internet explorer:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = "Infected by a poly ps worm"

Randomly sets the default start page of Internet Explorer to the author's website via the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Start Page = "http://www.sk0r-scr[Removed].tk"
                                       (or)
Start Page = "http://www.sk0r-vir[Removed].tk" 
                                       (or)
Start Page = "http://czybik-[Removed].tk"

Symptoms

MSH/Cibyz!p2p searches the hard drives and prepends its code to the following file types:

• msh
• ps1

Overwrites the following files and changes their file extension to .msh:

• bat
• cmd
• html
• ini
• js
• log
• txt

If the system time is greater than 5.00 PM it displays the following message:

This Worm is ©2006 by sk0r alias Czybik
To ask some questions email me @ sk0r[Removed]@gmx.de
www.sk0r-scr[Removed].tk - www.sk0r-vir[Removed].tk - www.czybik-[Removed].tk ",
10,"PowerShell Polymorphic Worm ©2006 by sk0r alias Czybik"

Method of Infection

Propagation via Peer-to-Peer Networks:

MSH/Cibyz!p2p propagates by dropping a copy of itself in the shared folders of KaZaa peer to peer application.
It reads the path to the default download directory of KaZaa from the following registry key:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DownloadDir

To entice users into downloading and executing these file, the worm uses names of popular applications for its dropped copy.

AVP - AntiVirus Key Generator.msh
Ad-aware SE Personal Edition 1.06r1.msh
Allround WinZIP Key Generator.msh
Ashampoo Media Player 2.03 install.msh
Daemon Tools Install + Crack.rar.msh
Kaspersky KeyGen working.msh
Microsoft Windows Vista Cd-Key.txt.msh
Nero Burning Rom 6.6.0.13 Crack.msh
Talisman Desktop 2.99 Crack.msh
Windows Vista Update.msh

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

MSH/Cibyz!p2p is a proof of concept worm written in Windows Powershell script. It attempts to spread via the popular peer to peer application KaZaa by dropping a copy of itself in its shared folders.

Note: Windows Powershell is a command line shell and scripting language for Microsoft Windows that runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn.

Aliases

• MSH.Czybroks!int (Symantec)

• P2P-Worm.MSH.Skowor.a (Kaspersky)

• WORM_KIBYZ.A (Trend Micro)

Characteristics

Characteristics -

Upon execution it creates a copy of itself into the Windows system directory:

%Windir%\%SYSDIR%\sk0rCzybik.msh

Modifies the following registry keys so that a user cannot view hidden files and file extensions.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = "0"
HideFileExt = "1"

Changes the default registered user and organization name via the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization = "Infected Poly"
RegisteredOwner = "sk0rCzybik"

Modifies the default window title for Internet explorer:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = "Infected by a poly ps worm"

Randomly sets the default start page of Internet Explorer to the author's website via the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Start Page = "http://www.sk0r-scr[Removed].tk"
                                       (or)
Start Page = "http://www.sk0r-vir[Removed].tk" 
                                       (or)
Start Page = "http://czybik-[Removed].tk"

Symptoms

Symptoms -

MSH/Cibyz!p2p searches the hard drives and prepends its code to the following file types:

• msh
• ps1

Overwrites the following files and changes their file extension to .msh:

• bat
• cmd
• html
• ini
• js
• log
• txt

If the system time is greater than 5.00 PM it displays the following message:

This Worm is ©2006 by sk0r alias Czybik
To ask some questions email me @ sk0r[Removed]@gmx.de
www.sk0r-scr[Removed].tk - www.sk0r-vir[Removed].tk - www.czybik-[Removed].tk ",
10,"PowerShell Polymorphic Worm ©2006 by sk0r alias Czybik"

Method of Infection

Method of Infection -

Propagation via Peer-to-Peer Networks:

MSH/Cibyz!p2p propagates by dropping a copy of itself in the shared folders of KaZaa peer to peer application.
It reads the path to the default download directory of KaZaa from the following registry key:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent\DownloadDir

To entice users into downloading and executing these file, the worm uses names of popular applications for its dropped copy.

AVP - AntiVirus Key Generator.msh
Ad-aware SE Personal Edition 1.06r1.msh
Allround WinZIP Key Generator.msh
Ashampoo Media Player 2.03 install.msh
Daemon Tools Install + Crack.rar.msh
Kaspersky KeyGen working.msh
Microsoft Windows Vista Cd-Key.txt.msh
Nero Burning Rom 6.6.0.13 Crack.msh
Talisman Desktop 2.99 Crack.msh
Windows Vista Update.msh

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A