W32/Kickin
Worm
 Information
about the W32/Kickin worm:
W32/Kickin is a mass mailing email worm,
which infects Windows systems. The worm spreads through email, shared
network drives, IRC and KaZaA P2P software.
The infected mail's subject, contents and the infected attachment will
be any one from the following sets;
Set 1
From:Admin@jokes.com
Subject:The Virtual Joke...
Message body:Have you seen it yet? You should because its soooooo funny,i
wish the real jokes where that funny =:) Check out the attached screensaver
and enjoy the pleasure of laughing...
Attachment: Virtual Joke.scr
Set 2
From: Admin@hackers.com
Subject: u wanted to hack?
Message body: hi there,so you wanted to hack your friends hotmail account
huh,well use this xss-exploit tool to find his password within 3 minutes!!
Simply open it and enter your victims email ID and select This will also
work on Yahoo and Icq accounts Admin@hackers.com
Attachment: Hotmail Hacker.exe
Set 3
From:Lovergirl963@hotmail.com
Subject:Do you remember last summer?
Message body: hi Do you remember we met last summer? We became very good
friends at the end huh! Well i looked a bit over internet and i encountered
your Email,so i thought why not send him the pics from last summer I've
attached them in this email,there in ScreenSaver format,pls reply to me
if you liked them See you soon again xxx Love ya...
Attachment: Last Summer.scr
Set 4
From:mailinglist@healthcare.com
Subject: Watch out for SARS!
Message body:SARS aka Severe Acute Respiration Syndrome is infecting more
and more people every day Soon it will get to USA,Europe,Asia,Africa and
Australia if we don't do something Thats why we started this chain letter
with a single attachment Our mission is to make all people aware of the
disease and to give them a handy guide on how to protect themselves The
attachment(SARS-Guide) is a guide (like the name says;)) with instructions
for avoiding infection and what to do when infected Ofcourse we cannot
send this Guide to all people,thats why the WHO(World Health Organisation)
has made a deal with WISI(World Internet Statistic Institute):For mail
FORWARD of this email WITH the Guide,0.50US$ will be transfered to the
WHO bank account They will use this money to make a vaccin for the SARS
Virus,and thus help mankind If you want to participate to this project,and
thus help mankind,you should FORWARD this email to at least 1 person with
this Guide Attached Thas all you'll have to do Do,'t forget!Every FORWARD
is 0.50US$ more for the vaccin,a vaccin is very expensive,so forward it
if you want to participate in helping mankind! For more information contact:
Dick Thompson - Communication Officer
Attachment:SARS-Guide.scr
Set 5
From:mailinglist@Msn.com
Subject: Get the new Msn 5.1!
Message body:Tired of the little nicknames in Msn,tired of all the limits?
Well we've got news for you,Msn 5.1 is the newest and best msn messenger
ever! It allows nicknames up to 500 characters and has many new functions
who will make your cyberlife easyier and better! Msn Messenger 5.1 is avaible
for following Operating Systems: Windows Xp Windows ME and 2000 Windows
98 and NT Is not avaible for:Windows 95 This version of msn messenger supports
also Api's in Windows Xp so you can make your own addons. To download Msn
Messenger 5.1 install the attached Root Setup. WARNING:MSN MESSENGER IS
NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO = JURIDICAL RESTRICTIONS,IF
YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP. If you don't want to
install it then you'll have to wait for another 5 weeks because of the
juridical restricions. Please do not forward this email.Every user who
has Msn Messenger installed will receive this email sooner or later,so
its up to them to decide to use the new version of not
Sincerely yours: The Msn Messenger Team The Hotmail Team
Attachment:MsnMsgs.exe
Set 6
From:SecurityResponse@symantec.com
Subject: Warning from Symantec.com
Message body: 5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD A
new very dangerous internet worm has been found in the wild.This worms
goes under the name W32.SqlSlammer.C@mm and has the possibility to spread
by several ports on your pc(139,25,445,446,10252). It will infect you without
your knowlegde because it uses the Sql Buffer Overflow exploit.Because
of this its very hard for Av companies and Microsoft to contain this thread.Thats
why we decided to protect our customors by sending then SqlFix and thus
protecting them from infection. After installation the fix will determine
if the SqlSlammer.C has infected your pc and clean it.If it didn't infect
it then it will make sure it will never infect you by closing the bug in
your OS. Simply run the attached fix and wait for the dialog to prompt,select
the feature and wait till its finished.
Sincerely, Symantec Security Response Team Symantec Corporation
Attachment:FixSql.com
Set 7
From: Support@microsoft.com
Subject: Windows Hotfix!
Message body:Attached is the HotFix for several bugs in Windows Operating
Systems. The following Windows versions are vulnerable: Windows Xp home
and Pro edition (with/without SP1) Windows ME,2000 and NT Home and Pro
Edition(With/without SP) Windows 98 Home,Pro and Special Edition(With/without
SP) The following Windows Operating Systems are not vulnerable: Windows
95(All editions With or Without Sp Microsoft IIS(all versions) If your
Operating System is one of the vulnerable systems listed above then Microsoft
Corp. recommends you to install this HotFix If you for some reason didn't
install this hotfix,then your pc will be vulnerable to this bugs allowing
an attacker to Remote Control your pc,or beeing infected with the infamous
SqlSlammer. Because this is an critical bug,Microsoft Corp. has send this
HotFix to all of his customors who use one of the OS's. For more information
about this bug or about Microsoft Corp.,
please visit www.microsoft.com Presented to you by:Microsoft HelpDesk
Attachment: Q30215HOTFIX.pif
Set 8
From:Soccerfan@yahoo.com
Subject: Fwd:Fwd:Fwd:Soccer...
Message body: Ever wanted to see the best goals,the most beautiful freekicks
etc.with just 2 clicks with your mouse? Ever wanted to acces the largest
Soccer Database on the internet where all goals from more then 25 international
competitions from the past 15 years are stored? Here is your chance,this
program has instant acces it,so you can enjoy how Diego Maradonna scored
,or how Johan Cruyff curled that ball into the goal...Enjoy! The database
contains goals from countries like:Spain,Italy,France,Germany,England,Belgium,The
Netherlands,Sweden,Finland and much more Also forward this to all football
fans you know so they can enjoy this to.
Attachment: Soccer Database.exe
Set 9
From:twistmaster13@hotmail.com
Subject: Hi,i'm 100% sure i'm infected!
Message body: mmm...if you received this mail,then someone has been infected
with W32.CyberWolf.B@mm => a new massmailer worm. For every infection
this worm does,you'll receive an email like this. It has never been my
intention to cause your mailbox any harm,nor mailbomb it. Its just so that
you can have a quite accurate view on how many infections..because most
of the times,Av companies are miles away from the real number... . Attachment:
(This mail arrives without any attachment)
Set 10
From: Webmaster@beautifulgirls.com
Subject: Christina Aguilera:The most beautiful girl on earth
Message body: Don't you think Christina Aguilera is the most beautiful
girl on earth? She is soo nice!!! That clip was amazing... If you wanne
see some hidden pics of that videoclip then check out this screensaver
Its nice...Very nice,if you get what i mean ;) Webmaster@beautifulgirls.com
Attachment: Christina Aguilera-The most beautiful girl on earth.scr
Set 11
From:Webmaster@Loveforlife.com
Subject: Feel the reason why we fall in love...
Message body: It takes One minute to find someone special One hour to like
someone 1 Day to fall in love with someone But it takes a lifetime to forget
someone. If you have ever been in love then you'll know about what i am
talking. If you wanne have that same old feeling then open the lovescreensaver
and realise why we fall in love all the time...
Attachment:Love.scr
Set 12
From: Webmaster@Outwar.com
Subject: Outwar is proud to present you:Outwar InterActive
Message body:After beeing succesfull for quit some years now and having
more then 20000 clients,it was time for something new. Thats why we decided
to take our OutWar into the game market and developed OurWar InterActive
This game will be in shops late summer and will cost about 36$. It will
be avaible across the Usa,Europe,Australia and Asia.Our release for Africa
is scheduled early 2004. Because this will mean a lot of waiting,we developed
the first Official OutWar Int. Demo! The attached file contains Installation
Packet for the downloader. Install it and download the game from our Private
FTP servers,and then enjoy it on your home pc!.
Sincerely yours Webmaster@outwar.com
Attachment: OutWar Demo.exe
Set 13
From:Webmaster@planet-source-code.com
Subject: Api Hooking Tutorial...
Message body: Did you wanted to learn how to api hook? Here your chance!This
tutorial explains all the basics AND moderate Api Hookings Starting by
hooking Registry Keys,Till hiding files from view in Windows Explorer After
reading this tut you can even start Windows RootKit Programming but ofcourse
thats up to you to decide... The Tutorial attached in this e-mail is for
privat use only and may never be distributed under any curcumstances Attachment:
Api Hooking-Tutorial.exe
Set 14
From:webmaster@screensavers.com
Subject: Fwd:Whats really happening in bagdad
Message body: Someone of the britisch army has made some Secret Spy Cam
pics,and uploaded it to the internet!! The pics show you exactly whats
reall happened in Irak!Its really not what you've seen on tv! Check out
the attached file and forward this to as much friends so that they can
all see what has really happened in Irak. FlipBabe xxx
Attachment: Saddam-the real pics.scr
Set 15
From:webmaster@screensavers.com
Subject: Saddam a live and kickin
Message body: The whole world wants to know it,is saddam a live,or death?
Well somedays a go the britisch took secret spy cam pics,and luckely someone
has uploaded this pics to the internet,and now their avaible! You won't
believe what you see!its amazing!!!The spy cam was hidden inside a tower
in Bagdad and it took pics from saddam and his sons,they our 250m beneath
the ground! Check out the pics i attached,you won't believe what you see!
Attachment: Saddam-the real pics.scr he
Upon execution of the infected attachment,
it copies itself as Cyberwolf.EXE with hidden attributes, in the
Windows folder. It also copies itself under Windows System folder
with a random file name chosen by the worm.
It modifies the registry at the following
location to load itself during the next startup.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The worm drops a text file cyberwolf.txt under Windows
folder.
After this using its own SMTP engine, the
worm mails itself to all email addresses found under diffrent address books
of the infected system and the addresses found under .html extension files.
It also tries to connect the following websites;
www.brain-hack.com
www.indiansnakes.cjb.net.
www.christinaaguilera
The worm also tries to disable various antivirus and security
related software.
This worm first appeared on 7th May 2003.
Other
names of W32/Kickin worm:
This worm is also known as W32/Kickin@MM, Kickin, W32/Kickin.A@mm
|
