Global sites
RiešeniaProduktySlužbyPredajNa stiahnutiePartneriPodporaSpoločnosť ESETVirus info
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > C

Threat Encyclopaedia

Vytlačiť stránkuPoslať

Chowl.A

Win32/Chowl.A is a worm spreading as a file in the attachment of electronic mail messages. This worm spreads in the P2P environment of KaZaA and some other networks. The worm has length of 34816 bytes, and uses UPX compression program for reducing it. Unpacked has a length more than 115 kB. The worm attacks computers with operating system Windows 95/98/Me/NT/2000 or XP.

Win32/Chowl.A arrives with the message having subject randomly chosen from many predefined options. The subject consists of one of following texts:

EA and EIDOS Presents...
A Virtual joke...the funniest around!
PacketStorm:WINDOWS Xp has several exploits
A kiss from me to you...

The body of the message consists of predefined text trying to make addressee running the file in the message attachment containing the worm. This file is always 34816 bytes long, and has one of following names: CyberWolf-Patch.exe, Windows Xp Exploit.exe, The CyberWolf-Joke.scr or My Kiss for you.scr.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The system subdirectory containing the operating system has a symbolic name %system%.

After running the file in the attachment the worm reads the content of the key HKEY_CURRENT_USERSoftwareKazaaLocalContent, and surveys the value of DownloadDir. It contains the directory utilized by installed KaZaA client for file sharing. The worm then creates a subdirectory Windows Security Haches in above named directory where it copies itself under names Visual Basic 6.0 Msdn Plugin.exe, Hotmail Hacker 2003-Xss Exploit.exe, Netbios Nuker 2003.exe, WinRar 3.xx Password Cracker.exe, Microsoft KeyGenerator-Allmost all microsoft stuff.exe, W32.CyberWolf@mm Fix.exe, Kazaa SDK + Xbit speedUp for 2.xx.exe, WinZipped Visual C++ Tutorial.exe, XNuker 2003 2.93b.exe, Edonkey2000-Speed me up scotty.exe, Imesh SDK+Xbit Speed Up.exe., PopUp remover 9.25.exex, Credit Card Numbers generator(incl Visa,MasterCard,...).exe, EA Games Keygen for All versions(only EA).exe, Free mem-Games-SpeedUP.exe, Security-2003-Update.exe, Stripping MP3 dancer+crack.exe, Crackologic(all windows Apps).exe, CyberWolf-Patch.exe, Windows Xp Exploit.exe, The CyberWolf-Joke.scr or My Kiss for you.scr.

However, this is not the only place where the worm places its copies. It places its copies also into the directory %system%. The names of the copies are: CyberWolf.exe, Rundll32.exe, Systemexplorer.exe, Systemsystem.exe, Kernell32.exe, system32.exe, systems.exe, service.exe, regedit32.exe, Ms-Dos.com or Windows.scr. It creates also another copy named Windows Media Player Plugin.exe placing it into the directory %windir%TEMP.

Win32/Chowl.A creates its copies also in following locations:

C:Program fileseDonkey2000IncomingEdonkey2000-Ad remover.exe
C:Program fileseDonkey2000IncomingHotmail Hacker 2003-Xss Exploit.exe
C:Program fileseDonkey2000IncomingNetbios Nuker 2003.exe
C:Program fileseDonkey2000IncomingWinRar 3.xx Password Cracker.exe
C:Program fileseDonkey2000IncomingEA Games Keygen for All versions(only EA).exe
C:Program FilesBearshareSharedHotmail Hacker 2003-Xss Exploit.exe
C:Program FilesBearshareSharedBearShare Pro 4.3.1 Beta Version.exe
C:Program FilesBearshareSharedXNuker 2003 2.93b.exe
C:Program FilesBearshareSharedChaos Ip 2003-Xp compitable.exe
C:Program FilesBearshareSharedNetbios Nuker 2003.exe
C:Program FIlesGroksterMy GroksterGrokster ad-remover.exe
C:Program FIlesGroksterMy GroksterStripping mp3 dancer+crack.exe
C:Program FIlesGroksterMy GroksterTrojan Utility 5.6.exe
C:Program FIlesGroksterMy GroksterWinrar 3.xx password cracker.exe
C:Program FIlesGroksterMy GroksterNetScan 1.6.exe
C:Program FIlesGroksterMy GroksterXss security exploit-hotmail.exe
C:Program FilesMorpheusMy Shared FolderMorpheus-Gold.exe
C:Program FilesMorpheusMy Shared FolderWebSeek-Mp3.exe
C:Program FilesMorpheusMy Shared FolderChaos Ip.exe
C:Program FileslimewireSharedLunix-Download.exe
C:Program FilesMorpheusMy Shared FolderNetbios Exploiter Xp.exe
C:Program FileslimewireSharedCredit card Generator
C:Program FileslimewireSharedCrackOlogic(all windows apps).exe

Then the Win32/Chowl.A handles the system registry in order to assure its activation after restarting the system. It creates an item CyberWolf in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. This item has the value "C:WINDOWSCyberWolf.exe". It also creates an item Windows Installer Service in the HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun having the value "C:WINDOWSSYSTEMmsiexec.exe".

The worm creates an item CyberWolf in both HKEY_CURRENT_USERSOFTWARECyberWolf and HKEY_CURRENT_USERSOFTWARECyberWolf having the value "You are Biten".

Handling the system registry the Win32/Chowl.A sets the Microsoft Internet Explorer home page to http://CyberWolf-has-bitten-you.com.

The worm deactivates processes having names identical with those in following list: CCAPP.exe, zapro.exe, taskmgr.exe, NMAIN.exe, AVPCC.exe, AVP.exe, ANTI-TROJAN.exe, WEBSCAN.exe, NUPDATE.exe, NAVAPW32.exe, ESAFE.exe, BLACKICE.exe, CFIND.exe, KPFW32.exe, KPF.exe, LUALL.exe, AUPDATE.exe, QCONSOLE.exe, BOOTWARN.exe, CCSHTDWN.exe, AVPMON.exe, SCAN32.exe, FINDVIRU.exe and _AVP32.exe.

The worm then displays following box:

Win32/Chowl.A spreads via mail client Microsoft Outlook using addresses acquired from Windows Adress Book.

NOD32 detects Win32/Chowl.A from version 1.368.