W32/Cycle.A
Threat risk
|
Detection files published:
11 May 2004 |
Description created:
2004-05-11 |
Description updated:
2004-05-11 |
|
Alias:
|
Spreading mechanism
Other | |
|
Payload:
| ||
Sandbox analysis
The following is a portion of the instant analysis done by the Norman Sandbox Technology
[ General information ]
* File length: 10240 bytes.
[ Changes to filesystem ]
* Creates file C:WINDOWScyclone.txt.
* Creates file C:WINDOWSsystemsvchost.exe.
[ Network services ]
* Attempts to resolve name "www.irna.com".
* Connect port 80 [IP], IP 193.75.75.100.
* Checks wheter computer is connected to Internet.
* Attempts to resolve name "c.root-servers.net".
* Sends a ping request (ICMP.DLL) to 193.75.75.100.
* Connect port 69 [IP], IP 0.0.0.0.
* Connect port 80 [Unknown], IP 193.75.75.100.
* Attempts to resolve name "28.11.32.1".
* Connect port 445 [IP], IP 28.11.32.1.
* Connect port 3332 [IP], IP 0.0.0.0.
[ Security issues ]
* Exploits MS04-011 vulnerability.
* Possible backdoor functionality [UNKNOWN] port 3332.
[ Process/window information ]
* Creates a mutex Jobaka3.
* Creates a mutex JumpallsNlsTillt.
* Creates a mutex Jobaka3l.
* Creates a mutex SkynetSasserVersionWithPingFast.
* Enumerates running processes.
Removal
This worm was proactively detected using the Norman Sandbox technology.General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
