11 maja 2004

Worm.Win32.Cycle.a - walczy z Sasserem i Lovesanem

Jest to robak rozprzestrzeniający się przy użyciu luki w zabezpieczeniach usługi LSASS wchodzącej w skład systemów operacyjnych Windows 2000/XP/2003 Server. Luka została opisana w biuletynie firmy MS04-011 firmy Microsoft. Szkodnik powstał przy użyciu języka programowania C++, a jego rozmiar to około 10 KB (kompresja UPX).

Instalacja

Po uruchomieniu robak kopiuje się do folderu systemowego Windows z nazwą svchost.exe i tworzy w rejestrze systemowym klucze auto-run:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Generic Host Service" = "%folder Windows%\system\svchost.exe"

Dodatkowo szkodnik tworzy plik cyclone.exe w folderze systemowym Windows. Zawiera on następujące przesłanie autora szkodnika:

----
Hi,
My name is Cyclone and I live in Iran,
and I want to speak with you about problems 
that we have in iran:

A.In Iran we don't have any kind of freedom, 
because we have islamic republic in iran:
  1.we can't speak freely about regime, we can't 
   speak even a little bit against them!!!
  2.I have to be a moslem otherwise they don't care about me!
  3.we CAN'T even wear the clothes and styles that we wants!
  4.women MUST wear a cloth that no one can even see their hair!!!
  5.they do not allow our national celebrations to be held, 
   they beat us!!
  6.Many more...

B.The human rights is not implemented in Iran and there 
is no justice,
1.Lynch is very common in Iran. If you are against the 
regime then you may silently killed, or if there is a 
tribunal, you can't say anything, everyone works 
against you there.
2.1985-1990, the Islamic Republic of IRAN has been 
killed more than 10,000 Iranian youngs. that has 
been comfirmed by the documentations! This people 
killed without any tribunal or any proof.
3.there is a punishment that is used so much during 
this years, in this punishment, the person who must 
be killed stand in a hole then others attack him 
with stones, this will continue until he/she dead. 
there is some pictures and videos that shows this 
terrible torture!
4.Many more...

C.Misery and poverty grows in Iran, because the 
islamic republic leaders steal the money, they 
stolen the money that provided by selling oil, 
and then the people must die because they don't 
have enough money to even buy a bread!!!

D.Misery and poverty cause vice to grow, 
you see many young people in Iran using drugs 
and I think this is also a trick by the government 
to not allow us to arise against them!

E.Islamic republic gave Iran a bad name. 
before islamic republic we can travel anywhere in the 
world without any problem but now we have so much problems 
if we want to travel a foreign country, anyone think 
that we are terrorist. THE PEOPLE OF IRAN ARE NOT 
TERRORIST, THE ISLAMIC REPUBLIC OF IRAN IS TERRORIST.

The people of Iran trying to arise, but failed to do. 
About one year ago, Iranian people try to say to the 
world that we don't need Islamic republic but the 
government and police beat the people who try to tell 
the truth and they killed some people.
You see that they don't even care about their own people, 
think what happen if they gain access to an ATOMIC BOMB!!! 
it's very dangerous for the world.
With all of this conditions and injustices, european 
governments still support islamic republic, they say 
that they just care about their own country!
and I want to show them our WRATH!
All of the european people are my friends and I never 
want to harm them, just government and the Politicians!
If you protest against iraq war and say why there must 
be a war against iraq, and if you do this for 
humanity, please do anything that you can do for 
helping iranian people.
at least make your country not to support islamic 
republic anymore, I'm deadly sure that if european 
countries do not support islamic republic. it will 
be destroyed after 3-6 months!
so please help!

I don't want to damage, I just want my country to 
grow, to improve!!! I have no other way to tell 
this words to world, sorry!!
---

Robak powstał w celu walki ze szkodnikami Sasser oraz Lovesan. Tworzy unikatowe identyfikatory w pamięci RAM, co zapobiega infekcji robaka Sasser.

 • Jobaka3
 • Jobaka3l
 • JumpallsNlsTillt
 • SkynetSasserVersionWithPingFast

Dodatkowo robak podejmuje próbę zatrzymywania nastęujących procesów:

 • avserve.exe
 • avserve2.exe
 • msblast.exe
 • skynetave.exe

Szkodnik uruchamia serwer FTP na porcie TCP 69, uruchamia cztery funkcje skanujące adresy IP w poszukiwaniu potencjalnych ofiar i wysyła żądania na port TCP 445. Jeżeli zdalny komputer zezwoli na połączenie, Cycle instaluje tam (korzystając z luki w zabezpieczeniach LSASS) interpreter poleceń cmd.exe.

Następnie robak przesyła polecenia, które pobierają go i instalują na atakowanej maszynie. Kopia robaka pobierana jest z nazwą cyclone.exe.

Informacje dodatkowe

Po infekcji zaatakowany system wyświetla komunikat o wystąpieniu błędu w usłudze LSASS, po czym może nastąpić restart komputera.

Dodatkowo w każdy dzień maja oprócz niedziel szkodnik podejmuje próbę przeprowadzenia ataku DoS na serwery irn.com oraz www.bbcnews.com.