Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Chowl.A

W32.Cydog

Win32/Chowl.A is a worm spreading as a file in the attachment of electronic mail messages. This worm spreads in the P2P environment of KaZaA and some other networks. The worm has length of 34816 bytes, and uses UPX compression program for reducing it. Unpacked has a length more than 115 kB. The worm attacks computers with operating system Windows 95/98/Me/NT/2000 or XP.

Win32/Chowl.A arrives with the message having subject randomly chosen from many predefined options. The subject consists of one of following texts:

EA and EIDOS Presents...
A Virtual joke...the funniest around!
PacketStorm:WINDOWS Xp has several exploits
A kiss from me to you...

The body of the message consists of predefined text trying to make addressee running the file in the message attachment containing the worm. This file is always 34816 bytes long, and has one of following names: CyberWolf-Patch.exe, Windows Xp Exploit.exe, The CyberWolf-Joke.scr or My Kiss for you.scr.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The system subdirectory containing the operating system has a symbolic name %system%.

After running the file in the attachment the worm reads the content of the key HKEY_CURRENT_USER\Software\Kazaa\LocalContent, and surveys the value of DownloadDir. It contains the directory utilized by installed KaZaA client for file sharing. The worm then creates a subdirectory Windows Security Haches in above named directory where it copies itself under names Visual Basic 6.0 Msdn Plugin.exe, Hotmail Hacker 2003-Xss Exploit.exe, Netbios Nuker 2003.exe, WinRar 3.xx Password Cracker.exe, Microsoft KeyGenerator-Allmost all microsoft stuff.exe, W32.CyberWolf@mm Fix.exe, Kazaa SDK + Xbit speedUp for 2.xx.exe, WinZipped Visual C++ Tutorial.exe, XNuker 2003 2.93b.exe, Edonkey2000-Speed me up scotty.exe, Imesh SDK+Xbit Speed Up.exe., PopUp remover 9.25.exex, Credit Card Numbers generator(incl Visa,MasterCard,...).exe, EA Games Keygen for All versions(only EA).exe, Free mem-Games-SpeedUP.exe, Security-2003-Update.exe, Stripping MP3 dancer+crack.exe, Crackologic(all windows Apps).exe, CyberWolf-Patch.exe, Windows Xp Exploit.exe, The CyberWolf-Joke.scr or My Kiss for you.scr.

However, this is not the only place where the worm places its copies. It places its copies also into the directory %system%. The names of the copies are: CyberWolf.exe, Rundll32.exe, \System\explorer.exe, \System\system.exe, Kernell32.exe, system32.exe, systems.exe, service.exe, regedit32.exe, Ms-Dos.com or Windows.scr. It creates also another copy named Windows Media Player Plugin.exe placing it into the directory %windir%\TEMP.

Win32/Chowl.A creates its copies also in following locations:

C:\Program files\eDonkey2000\Incoming\Edonkey2000-Ad remover.exe
C:\Program files\eDonkey2000\Incoming\Hotmail Hacker 2003-Xss Exploit.exe
C:\Program files\eDonkey2000\Incoming\Netbios Nuker 2003.exe
C:\Program files\eDonkey2000\Incoming\WinRar 3.xx Password Cracker.exe
C:\Program files\eDonkey2000\Incoming\EA Games Keygen for All versions(only EA).exe
C:\Program Files\Bearshare\Shared\Hotmail Hacker 2003-Xss Exploit.exe
C:\Program Files\Bearshare\Shared\BearShare Pro 4.3.1 Beta Version.exe
C:\Program Files\Bearshare\Shared\XNuker 2003 2.93b.exe
C:\Program Files\Bearshare\Shared\Chaos Ip 2003-Xp compitable.exe
C:\Program Files\Bearshare\Shared\Netbios Nuker 2003.exe
C:\Program FIles\Grokster\My Grokster\Grokster ad-remover.exe
C:\Program FIles\Grokster\My Grokster\Stripping mp3 dancer+crack.exe
C:\Program FIles\Grokster\My Grokster\Trojan Utility 5.6.exe
C:\Program FIles\Grokster\My Grokster\Winrar 3.xx password cracker.exe
C:\Program FIles\Grokster\My Grokster\NetScan 1.6.exe
C:\Program FIles\Grokster\My Grokster\Xss security exploit-hotmail.exe
C:\Program Files\Morpheus\My Shared Folder\Morpheus-Gold.exe
C:\Program Files\Morpheus\My Shared Folder\WebSeek-Mp3.exe
C:\Program Files\Morpheus\My Shared Folder\Chaos Ip.exe
C:\Program Files\limewire\Shared\Lunix-Download.exe
C:\Program Files\Morpheus\My Shared Folder\Netbios Exploiter Xp.exe
C:\Program Files\limewire\Shared\Credit card Generator
C:\Program Files\limewire\Shared\CrackOlogic(all windows apps).exe

Then the Win32/Chowl.A handles the system registry in order to assure its activation after restarting the system. It creates an item CyberWolf in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This item has the value "C:\WINDOWS\CyberWolf.exe". It also creates an item Windows Installer Service in the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run having the value "C:\WINDOWS\SYSTEM\msiexec.exe".

The worm creates an item CyberWolf in both HKEY_CURRENT_USER\SOFTWARE\CyberWolf and HKEY_CURRENT_USER\SOFTWARE\CyberWolf having the value "You are Biten".

Handling the system registry the Win32/Chowl.A sets the Microsoft Internet Explorer home page to http://CyberWolf-has-bitten-you.com.

The worm deactivates processes having names identical with those in following list: CCAPP.exe, zapro.exe, taskmgr.exe, NMAIN.exe, AVPCC.exe, AVP.exe, ANTI-TROJAN.exe, WEBSCAN.exe, NUPDATE.exe, NAVAPW32.exe, ESAFE.exe, BLACKICE.exe, CFIND.exe, KPFW32.exe, KPF.exe, LUALL.exe, AUPDATE.exe, QCONSOLE.exe, BOOTWARN.exe, CCSHTDWN.exe, AVPMON.exe, SCAN32.exe, FINDVIRU.exe and _AVP32.exe.

The worm then displays following box:

Win32/Chowl.A spreads via mail client Microsoft Outlook using addresses acquired from Windows Adress Book.

NOD32 detects Win32/Chowl.A from version 1.368.

 

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.