Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Cycle.A

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 10 May 2004 03:00:00
Description created 11 May 2004 02:20:00
Description updated 11 May 2004 02:20:00
Malware type WORM
Alias
Spreading mechanism OTHER
Summary None

W32/Cycle.A

Spreading

n/a

Payload Details

n/a

Analysis

The following is a portion of the instant analysis done by the Lumension Sandbox Technology [ General information ] * File length: 10240 bytes. [ Changes to filesystem ] * Creates file C:WINDOWScyclone.txt. * Creates file C:WINDOWSsystemsvchost.exe. [ Network services ] * Attempts to resolve name "www.irna.com". * Connect port 80 [IP], IP 193.75.75.100. * Checks wheter computer is connected to Internet. * Attempts to resolve name "c.root-servers.net". * Sends a ping request (ICMP.DLL) to 193.75.75.100. * Connect port 69 [IP], IP 0.0.0.0. * Connect port 80 [Unknown], IP 193.75.75.100. * Attempts to resolve name "28.11.32.1". * Connect port 445 [IP], IP 28.11.32.1. * Connect port 3332 [IP], IP 0.0.0.0. [ Security issues ] * Exploits MS04-011 vulnerability. * Possible backdoor functionality [UNKNOWN] port 3332. [ Process/window information ] * Creates a mutex Jobaka3. * Creates a mutex JumpallsNlsTillt. * Creates a mutex Jobaka3l. * Creates a mutex SkynetSasserVersionWithPingFast. * Enumerates running processes.

Removal

This worm was proactively detected using the Lumension Sandbox technology.


Last Updated: 12 Nov 2015 11:06:10