Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
109,056 bytes (UPX packed)
Worm/Cydog.C is a mass mailer. It gathers the email addresses it needs to send itself to, from Yahoo Messenger, MSN and .NET Messenger, ICQ, Windows Address Book (WAB), but also from .EML and .HTML files. Worm/Cydog.C is also able to send its virus file over known P2P networks like KaZaA, Edonkey, Bearshare and Morpheus.
The files and registry entries mentioned below.
The virus spreads over file-sharing networks, email and network drives.
When activated, Worm/Cydog.C copies itself in Windows with the filename
CYBERWOLF.EXE which is set to "hidden" and "system file" rights. Then it makes the next files, with the same attributes: Kernel32.exe, mapi32.drv, format.com, SARS-Guide.scr, MsnMsgs.exe, Setup.exe, Virtual Joke.scr, Saddam-the real pics.scr, Christina Aguilera-The most beautiful girl on earth.scr, Soccer Database.exe, OutWar Demo.exe, Love.scr, Last Summer.scr, Hotmail Hacker.exe, FixSql.com, Q30215HOTFIX.pif, Api Hooking-Tutorial.exe, Magical-Screensaver.scr.
Worm/Cydog.C modifies the following .EXE file registry entry, so that it will be activated once an .EXE file is open:
and it makes the following entry:
Worm/Cydog.C modifies registry entries further. These modifications determine some types of files to be no longer visible and hidden system files are not listed any more.
First, this worm is a mass mailer. It searches for email addresses on Yahoo Messenger, MSN and .NET Messenger, ICQ, Windows Address Book (WAB) but also on .EML and .HTML files. If the user is not provided with a SMTP Server for email service, Worm/Cydog.C carries along its own list of SMTP Servers that enables it to send infected emails.
The contents of the emails sent by Cydog.C can have very different appearances. The worm sends itself with a faked return address:
Lovegirl@yahoo.com, Webmaster@planet-source-code.com, Lovegirl33@hotmail.com, Admin@screensaver.com, Support@microsoft.com, SecurityResponse@symantec.com, Admin@hackers.com, Webmaster@Loveforlife.com, Webmaster@outwar.com, Soccerfan@yahoo.com, Webmaster@beautifulgirls.com, Webmaster@sreensavers.com, email@example.com, firstname.lastname@example.org, or email@example.com
An example can be:
Subject: Windows Hotfix!
Attached is the HotFix for several bugs in Windows Operating Systems.
The following Windows versions are vulnerable:
Windows Xp home and Pro edition (with/without SP1)
Windows ME,2000 and NT Home and Pro Edition(With/without SP)
Windows 98 Home,Pro and Special Edition(With/without SP)
The following Windows Operating Systems are not vulnerable:
Windows 95(All editions With or Without Sp
Microsoft IIS(all versions)
If your Operating System is one of the vulnerable systems listed
above then Microsoft Corp. recommends you to install this HotFix
If you for some reason didn't install this hotfix,then your pc
will be vulnerable to this bugs allowing an attacker to Remote
Control your pc,or beeing infected with the infamous SqlSlammer.
Because this is an critical bug,Microsoft Corp. has send this
HotFix to all of his customors who use one of the OS's.
For more information about this bug or about Microsoft
Corp.,please visit www.microsoft.com
Presented to you by:Microsoft HelpDesk<Support@microsoftcom>
Second, Worm/Cydog.C is able to spread itself over P2P networks, such as Kazaa, Edonkey, Bearshare and Morpheus. It searches for free directories, which the system uses for data exchange, and copies itself there with the following names:
* Virus Creation ToolKit-VX v7.1_create virii with this tool,Klez.H and Sircam has been created with version 6.exe
* WebAttack-DoS Tool.exe
* FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
* Yahoo Remote Password Cracker Deluxe 2003.exe
* AIM Remote Password Cracker.exe
* Hotmail Exploiter 2003.exe
* XNuker 2003.exe
* Ultimate HackProg.exe
* Msn Messenger Remote Password Cracker 2003.exe
* Netbios hacker.exe
* Chaos Ip Spoof 2003.exe
Additionally, the worm can spread through IRC Client "mIRC". It deletes the SCRIPT.INI and replaces it with its own. When a user of an IRC Channel finds an infected system, this will send the following message:
<%USER_NICK_NAME%> Hi, im CyberWolf, 15 and from austria and u?
<%USER_NICK_NAME%> check out this crazy screensaver!its magic!!!
The worm automatically sends to the user the file "MAGICAL-SCREENSAVER.SCR". If this file is opened, the user gets infected.
And finally, Worm/Cydog.C is able to terminate a number of applications:
NETSERVICES, COMMAND, SYSHELP, RAVMOND, WINRPC, WINHELP, WINGATE, NPROTECT, CLEANER, WINDRIVER, TASKMGR, MSCONFIG, REGEDIT, ANTI-TROJAN, BLACKICE, ONEALARM, LOCKDOWNADVANCED, NVC95, FP-WIN, IOMON98, PCCWIN98, F-PROT, F-STOPW, AMSERV.EXE, NAVWNT, NAVRUNR, NAVLU32, NAVAPSVC, VSMON.EXE, SYMPROXYSVC, FESCUE32, NISSERV, VSECOMR, VETTRAY, TDS2-NT, CCAPP.EXE, SCAN32, PCFWALLICON, NSCHED32, SPHINX.EXE, FRW.EXE, MCAFEE, ATRACK, PVIEW.EXE, LUCOMSERVER, LUALL.EXE, NMAIN.EXE, NAVW32, NAVAPW32, VSSTAT, VSHWIN32, AVSYNMGR, AVCONSOL, WEBTRAP, POP3TRAP, PCCMAIN, PCCIOMON, ESAFE.EXE, AVPM.EXE, AVPCC.EXE, AMON.EXE, ALERTSVC, ZAPRO.EXE, AVP32, LOCKDOWN2000, AVP.EXE, CFINET32, CFINET, ICMON, SAFEWEB ,WEBSCANX and IAMAPP
Description inserted by Crony Walker on Tuesday, June 15, 2004