Sensible Security Solutions - W32/Kickin@MM Virus Information

The following has been derived from information provided by NAI, and Symantec

Virus Characteristics

W32/Kickin@MM is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses which are gathered from various address books, and html files from the local machine. The address books it uses include:

.NET Messenger
MSN Messenger
Yahoo Pager
Windows
ICQ Address Books

The email message has a randomly chosen subject line, message body, and attachment filename. W32/Kickin@MM has the ability to spoof the sender's email address. The attachment will have the extension .com, .exe, .scr, or .pif.

Example Emails:

From:Admin@jokes.com
Subject:The Virtual Joke...
Message:Have you seen it yet? You should because its soooooo funny,i wish the real jokes where that funny =:) Check out the attached screensaver and enjoy the pleasure of laughing...
Attachment: Virtual Joke.scr

From:Lovergirl963@hotmail.com
Subject:Do you remember last summer?
Message: hi Do you remember we met last summer? We became very good friends at the end huh! Well i looked a bit over internet and i encountered your Email,so i thought why not send him the pics from last summer I've attached them in this email,there in ScreenSaver format,pls reply to me if you liked them See you soon again xxx Love ya...
Attachment: Last Summer.scr

From:webmaster@screensavers.com
Subject: Fwd:Whats really happening in bagdad
Message: Someone of the britisch army has made some Secret Spy Cam pics,and uploaded it to the internet!! The pics show you exactly whats reall happened in Irak!Its really not what you've seen on tv! Check out the attached file and forward this to as much friends so that they can all see what has really happened in Irak. FlipBabe xxx
Attachment: Saddam-the real pics.scr

From:twistmaster13@hotmail.com
Subject: Hi,i'm 100% sure i'm infected!
Message: mmm...if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm. For every infection this worm does,you'll receive an email like this. It has never been my intention to cause your mailbox any harm,nor mailbomb it. Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number... .
Attachment:(no attachment)

From:Soccerfan@yahoo.com
Subject: Fwd:Fwd:Fwd:Soccer...
Message: Ever wanted to see the best goals,the most beautiful freekicks etc.with just 2 clicks with your mouse? Ever wanted to acces the largest Soccer Database on the internet where all goals from more then 25 international competitions from the past 15 years are stored? Here is your chance,this program has instant acces it,so you can enjoy how Diego Maradonna scored ,or how Johan Cruyff curled that ball into the goal...Enjoy! The database contains goals from countries like:Spain,Italy,France,Germany,England,Belgium,The Netherlands,Sweden,Finland and much more Also forward this to all football fans you know so they can enjoy this to.
Attachment: Soccer Database.exe

From: Admin@hackers.com
Subject: u wanted to hack?
Message: hi there,so you wanted to hack your friends hotmail account huh,well use this xss-exploit tool to find his password within 3 minutes!! Simply open it and enter your victims email ID and select This will also work on Yahoo and Icq accounts Admin@hackers.com
Attachment: Hotmail Hacker.exe

From:mailinglist@healthcare.com
Subject: Watch out for SARS!
Message:SARS aka Severe Acute Respiration Syndrome is infecting more and more people every day Soon it will get to USA,Europe,Asia,Africa and Australia if we don't do something Thats why we started this chain letter with a single attachment Our mission is to make all people aware of the disease and to give them a handy guide on how to protect themselves The attachment(SARS-Guide) is a guide (like the name says;)) with instructions for avoiding infection and what to do when infected Ofcourse we cannot send this Guide to all people,thats why the WHO(World Health Organisation) has made a deal with WISI(World Internet Statistic Institute):For mail FORWARD of this email WITH the Guide,0.50US$ will be transfered to the WHO bank account They will use this money to make a vaccin for the SARS Virus,and thus help mankind If you want to participate to this project,and thus help mankind,you should FORWARD this email to at least 1 person with this Guide Attached Thas all you'll have to do Do,'t forget!Every FORWARD is 0.50US$ more for the vaccin,a vaccin is very expensive,so forward it if you want to participate in helping mankind! For more information contact: Dick Thompson - Communication Officer
Attachment:SARS-Guide.scr

From: Webmaster@beautifulgirls
Subject: Christina Aguilera:The most beautiful girl on earth
Message: Don't you think Christina Aguilera is the most beautiful girl on earth? She is soo nice!!! That clip was amazing... If you wanne see some hidden pics of that videoclip then check out this screensaver Its nice...Very nice,if you get what i mean ;) Webmaster@beautifulgirls.com
Attachment: Christina Aguilera-The most beautiful girl on earth.scr

From:SecurityResponse@symantec.com
Subject: Warning from Symantec.com
Message: 5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD A new very dangerous internet worm has been found in the wild.This worms goes under the name W32.SqlSlammer.C@mm and has the possibility to spread by several ports on your pc(139,25,445,446,10252). It will infect you without your knowlegde because it uses the Sql Buffer Overflow exploit.Because of this its very hard for Av companies and Microsoft to contain this thread.Thats why we decided to protect our customors by sending then SqlFix and thus protecting them from infection. After installation the fix will determine if the SqlSlammer.C has infected your pc and clean it.If it didn't infect it then it will make sure it will never infect you by closing the bug in your OS. Simply run the attached fix and wait for the dialog to prompt,select the feature and wait till its finished. Sincerely, Symantec Security Response Team Symantec Corporation
Attachment:FixSql.com

From:Webmaster@planet-source-code.com
Subject: Api Hooking Tutorial...
Message: Did you wanted to learn how to api hook? Here your chance!This tutorial explains all the basics AND moderate Api Hookings Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer After reading this tut you can even start Windows RootKit Programming but ofcourse thats up to you to decide... The Tutorial attached in this e-mail is for privat use only and may never be distributed under any curcumstances
Attachment: Api Hooking-Tutorial.exe

From:mailinglist@Msn.com
Subject: Get the new Msn 5.1!
Message:Tired of the little nicknames in Msn,tired of all the limits? Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever! It allows nicknames up to 500 characters and has many new functions who will make your cyberlife easyier and better! Msn Messenger 5.1 is avaible for following Operating Systems: Windows Xp Windows ME and 2000 Windows 98 and NT Is not avaible for:Windows 95 This version of msn messenger supports also Api's in Windows Xp so you can make your own addons. To download Msn Messenger 5.1 install the attached Root Setup. WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO = JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP. If you don't want to install it then you'll have to wait for another 5 weeks because of the juridical restricions. Please do not forward this email.Every user who has Msn Messenger installed will receive this email sooner or later,so its up to them to decide to use the new version of not Sincerely yours: The Msn Messenger Team The Hotmail Team
Attachment:MsnMsgs.exe

From:Webmaster@Loveforlife.com
Subject: Feel the reason why we fall in love...
Message: It takes One minute to find someone special One hour to like someone 1 Day to fall in love with someone But it takes a lifetime to forget someone. If you have ever been in love then you'll know about what i am talking. If you wanne have that same old feeling then open the lovescreensaver and realise why we fall in love all the time...
Attachment:Love.scr

From:webmaster@screensavers.com
Subject: Saddam a live and kickin
Message: The whole world wants to know it,is saddam a live,or death? Well somedays a go the britisch took secret spy cam pics,and luckely someone has uploaded this pics to the internet,and now their avaible! You won't believe what you see!its amazing!!!The spy cam was hidden inside a tower in Bagdad and it took pics from saddam and his sons,they our 250m beneath the ground! Check out the pics i attached,you won't believe what you see!
Attachment: Saddam-the real pics.scr

From: Webmaster@Outwar.com
Subject: Outwar is proud to present you:Outwar InterActive
Message:After beeing succesfull for quit some years now and having more then 20000 clients,it was time for something new. Thats why we decided to take our OutWar into the game market and developed OurWar InterActive This game will be in shops late summer and will cost about 36$. It will be avaible across the Usa,Europe,Australia and Asia.Our release for Africa is scheduled early 2004. Because this will mean a lot of waiting,we developed the first Official OutWar Int. Demo! The attached file contains Installation Packet for the downloader. Install it and download the game from our Private FTP servers,and then enjoy it on your home pc!. Sincerely yours Webmaster@outwar.com
Attachment: OutWar Demo.exe

From: Support@microsoft.com
Subject: Windows Hotfix!
Message:Attached is the HotFix for several bugs in Windows Operating Systems. The following Windows versions are vulnerable: Windows Xp home and Pro edition (with/without SP1) Windows ME,2000 and NT Home and Pro Edition(With/without SP) Windows 98 Home,Pro and Special Edition(With/without SP) The following Windows Operating Systems are not vulnerable: Windows 95(All editions With or Without Sp Microsoft IIS(all versions) If your Operating System is one of the vulnerable systems listed above then Microsoft Corp. recommends you to install this HotFix If you for some reason didn't install this hotfix,then your pc will be vulnerable to this bugs allowing an attacker to Remote Control your pc,or beeing infected with the infamous SqlSlammer. Because this is an critical bug,Microsoft Corp. has send this HotFix to all of his customors who use one of the OS's. For more information about this bug or about Microsoft Corp.,please visit www.microsoft.com Presented to you by:Microsoft HelpDesk
Attachment: Q30215HOTFIX.pif

The worm also attempts to spread itself through the Morpheus, Bearshare, and Edonkey2000 file-sharing networks, and through mIRC. This worm terminates some AntiVirus and firewall processes.

The worm locates the Windows installation folder and copies itself to that location as:

CyberWolf.exe

The file attributes are set to Hidden and System.

The worm Creates the text file, CyberWolf.txt, also in the Windows directory if the current day is Monday or Wednesday.

It will run many instances of itself if the current date is the 30th of any month.

It then Copies itself to the Windows System folder with the following names:

The attributes of these files may be set to Read only, Hidden, and System

In order for the worm to run when you start Windows, it adds the following to the registry Run key

" CyberWolf " = " % Windir % CyberWolf "
" Windoes Kernel " = " % System % \kernel32.exe "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Adds the subkey: REGEDIT.EXE

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

and set the default value to:

" (Default) " = " % System % \kernel32.exe "

so that when you try to run Regedit.exe, the worm will run.

Adds the subkey: MSCONFIG.EXE, to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

and sets the default value to:

" [Default] " = " % System % \kernel32.exe "

so that each time you try to run Msconfig.exe, the worm will run.

Adds the value:

" system " = " % System % \kernel32.exe "

to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Modifies the default value of the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

to

" [Default] "=" % System % \kernel32.exe "

Modifies the values in the following registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

" Hidden " = 2
" HideFileExt " = 1

Closes any windows whose name is one of the following and terminates the associated process:

W32/Kickin@MM, attempts to terminate some antivirus and firewall processes. The worm inventories the active processes, and if the name of process is one of the following, it attempts to terminate that process:

The worm retrieves the location of the KaZaA download folder from the registry. If KaZaA is installed in the infected system, it copies itself to the download folder with the following filenames:

Copies itself to the following folders, if the folders exist:

C:\Program Files\Morpheus\My Shared Folder
C:\Program Files\Bearshare\Shared
C:\Program Files\Edonkey2000\Incoming

With the following filenames:

Chaos Ip Spoof 2003.exe
Hotmail Exploiter 2003.exe
Msn Messenger Remote Password Cracker 2003.exe
Netbios hacker.exe
Ultimate HackProg.exe

NOTE: The attributes of these files may be set to Read only, Hidden, and System.

If mIRC is installed, the worm modifies the Script.ini file to send a copy of itself as Magical-Screensaver.scr to other mIRC users.

The worm retrieves the current user's name, email address, and SMTP server's IP address from the registry.

Payload

Massmails itself to the email addresses that it finds from the .NET Messenger, MSN Messenger, Yahoo Pager, Windows, and ICQ Address Books, and from the files whose extensions contain the letters html.

Terminates some AntiVirus and Firewall processes

Preventative Measures

Block emails with the following extensions at the email gateway:

.com, .exe, .scr, and .pif

Fixes Available

Network Associates:
Minimum DAT: 4262
Release Date: 050703
Minimum Engine: 4.1.60

Symantec:
Virus Definitions (Intelligent Updater): May 6, 2003
Virus Definitions (LiveUpdate): May 7, 2003

SECURITY ALERT