Description
Win32.Cycle.A is a worm that spreads by exploiting a vulnerability in the LSASS service on Windows 2000, XP and 2003 server. It has been distributed as a 10,240-byte, UPX-packed, Win32 executable.
Back to top
Method of Infection
When executed, Cycle.A copies itself to:
%Windows%\system\svchost.exe
and creates a service called "Host Service" ensure that this copy is executed at each Windows start.
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm also creates these mutexes:
Jobaka3
JumpallsNlsTillt
Jobaka3l
SkynetSasserVersionWithPingFast
These mutexes will stop various versions of Win32.Sasser from running.
The worm also creates the file %Windows%\cyclone.txt. This is a text file that contains comments, presumably made by the worm's author.
Back to top
Method of Distribution
Cyclone.A scans random IP addresses for machines to infect. It does this by sending out ICMP echo (ping) requests. If it receives a reply, it then attempts to connect to that address on TCP port 445. If it connects successfully, it then attempts the exploit the "Microsoft Windows LSASS buffer overflow vulnerability". For more information on this vulnerability, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886
The Microsoft security bulletin for this vulnerability is available here:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
The worm creates a remote shell on the target machine, listening on a varying TCP port. It then connects to this shell and instructs the remote system to download the worm executable using tftp. If tftp.exe does not exist on the remote system, the transfer will fail.
The worm runs its own tftp server on UDP port 69 on infected machines, for targets to download from. If successful, the worm is saved as %System%\cyclone.exe.
The worm listens on TCP port 3332. This is simply used by the worm to recognize machines that are already infected. It attempts to connect to each target address on port 3332, and if successful, will not try to exploit that machine.
When generating target IP addresses, there is an 81% chance that the worm will generate the first three octets at random. The other 19% of the time it uses the first two octets of the host's IP address, with the third generated randomly. In both cases, it starts with the final octet set to 1 and increments it until it reaches 254.
For example, if the local IP address is 155.35.178.60, it may try 155.35.51.1, 155.35.51.2, 155.35.51.3, etc.
As a side effect of infection, the LSASS service may crash, displaying a message like the following:
Back to top
Payload
Terminates Processes
Cycle.A terminates the following processes (that are associated with Win32.Poza and Win32.Sasser worms):
msblast.exe
avserve.exe
avserve2.exe
skynetave.exe
Denial of Service
The worm checks the system time. If the day is after the 18th or the month is other than May, it attempts to connect to www.irna.com on TCP port 80. If this is successful, it then launches a Denial of Service attack against this address, by continually sending IP packets with 40 bytes of random data.
If it cannot connect to www.irna.com on port 80, there is a 2% chance it will attempt to launch the DoS against www.bbc.com.
Analysis by Hamish O'Dea
Back to top