Printer Friendly Page

Discovered: February 26, 2003
Updated: February 13, 2007 11:43:35 AM
Type: Worm
Systems Affected: Windows

W32.HLLW.Cydog@mm is a mass-mailing worm that spreads by email. This worm uses Microsoft Outlook to send itself to the contacts in the Outlook Address Book:

  • The email will have a random subject chosen from a predetermined selection.
  • The attachment will have a random file name chosen from a predetermined selection, with a file extension of .exe or .scr.

W32.HLLW.Cydog@mm also attempts to spread using the KaZaA, eDonkey2000, Bearshare, Grokster, and Morpheus file-sharing networks. The worm attempts to terminate the active processes of various antivirus programs and system utilities.

W32.HLLW.Cydog@mm also attempts to delete:
  • Program files that Norton AntiVirus products use
  • Files shared by various Symantec programs, including the virus definition files

W32.HLLW.Cydog@mm is a Visual Basic application that is packed with UPX 1.24.

Antivirus Protection Dates

  • Initial Rapid Release version February 26, 2003
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version February 26, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date February 26, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

When W32.HLLW.Cydog@mm runs, it performs the following actions:

  1. Obtains the location of the KaZaA-shared folder from the value: DownloadDir

    which is contained in the registry key:


    NOTE: The name and location of this shared folder can vary. For the purposes of this writeup, <DownloadDir> is used to refer to this folder.
  2. Creates the \<DownloadDir>\Windows Security Haches folder.
  3. Creates a share for the newly created folder, by creating the values:

    Dir0 012345:<DownloadDir>\Windows Security Haches
    DisableSharing 0

    in the registry key:

  4. Creates copies of itself as the following file names:
    • %System%\Cyberwolf.exe
    • %System%\Rundll32.exe
    • %System%\System\Explorer.exe
    • %System%\System\System.exe
    • %System%\Kernell32.exe
    • %System%\System32.exe
    • %System%\Systems.exe
    • %System%\Service.exe
    • %System%\Regedit32.exe
    • %System%\Cyberwolf.exe
    • %System%\Windows.Scr
    • %System%\Ms-Dos.Com
    • %Temp%\Windows Media Player Plugin.exe
    • <DownloadDir>\Windows Security Haches\Visual Basic 6.0 Msdn Plugin.exe
    • <DownloadDir>\Windows Security Haches\Hotmail Hacker 2003-Xss Exploit.exe
    • <DownloadDir>\Windows Security Haches\Netbios Nuker 2003.exe
    • <DownloadDir>\Windows Security Haches\Winrar 3.Xx Password Cracker.exe
    • <DownloadDir>\Windows Security Haches\Microsoft Keygenerator-Allmost All Microsoft Stuff.exe
    • <DownloadDir>\Windows Security Haches\W32.Cyberwolf@Mm Fix.exe
    • <DownloadDir>\Windows Security Haches\Kazaa SDK + Xbit Speedup For 2.Xx.exe
    • <DownloadDir>\Windows Security Haches\Winzipped Visual C++ Tutorial.exe
    • <DownloadDir>\Windows Security Haches\Xnuker 2003 2.93b.exe
    • <DownloadDir>\Windows Security Haches\Edonkey2000-Speed Me Up Scotty.exe
    • <DownloadDir>\Windows Security Haches\Imesh SDK+Xbit Speed Up.exe
    • <DownloadDir>\Windows Security Haches\Popup Remover 9.25.exe
    • <DownloadDir>\Windows Security Haches\Credit Card Numbers Generator(Incl Visa,Mastercard,...).exe
    • <DownloadDir>\Windows Security Haches\EA Games Keygen For All Versions(Only EA).exe
    • <DownloadDir>\Windows Security Haches\Free Mem-Games-Speedup.exe
    • <DownloadDir>\Windows Security Haches\Security-2003-Update.exe
    • <DownloadDir>\Windows Security Haches\Stripping MP3 Dancer+Crack.exe
    • <DownloadDir>\Windows Security Haches\Crackologic(All Windows Apps).exe
    • <DownloadDir>\Windows Security Haches\The Cyberwolf-Joke.Scr
    • <DownloadDir>\Windows Security Haches\My Kiss For You.Scr
    • <DownloadDir>\Windows Security Haches\Windows Xp Exploit.exe
    • <DownloadDir>\Windows Security Haches\Cyberwolf-Patch.exe
    • C:\Program Files\Edonkey2000\Incoming\Edonkey2000-Ad Remover.exe
    • C:\Program Files\Edonkey2000\Incoming\Hotmail Hacker 2003-Xss Exploit.exe
    • C:\Program Files\Edonkey2000\Incoming\Netbios Nuker 2003.exe
    • C:\Program Files\Edonkey2000\Incoming\Winrar3.Xx Password Cracker.exe
    • C:\Program Files\Edonkey2000\Incoming\EA Games Keygen For All Versions(Only EA).exe
    • C:\Program Files\Bearshare\Shared\Hotmail Hacker 2003-Xss Exploit.exe
    • C:\Program Files\Bearshare\Shared\Bearshare<Pro 4.3.1 Beta Version.exe
    • C:\Program Files\Bearshare\Shared\Xnuker 2003 2.93b.exe
    • C:\Program Files\Bearshare\Shared\Chaos Ip 2003-Xp Compitable.exe
    • C:\Program Files\Bearshare\Shared\Netbios Nuker 2003.exe
    • C:\Program Files\Grokster\My Grokster\Grokster Ad-Remover.exe
    • C:\Program Files\Grokster\My Grokster\Stripping Mp3 Dancer+Crack.exe
    • C:\Program Files\Grokster\My Grokster\Trojan Utility 5.6.exe
    • C:\Program Files\Grokster\My Grokster\Winrar 3.Xx Password Cracker.exe
    • C:\Program Files\Grokster\My Grokster\Netscan 1.6.exe
    • C:\Program Files\Grokster\My Grokster\Xss Security Exploit-Hotmail.exe
    • C:\Program Files\Morpheus\My Shared Folder\Morpheus-Gold.exe
    • C:\Program Files\Morpheus\My Shared Folder\Webseek-Mp3.exe
    • C:\Program Files\Morpheus\My Shared Folder\Chaos Ip.exe
    • C:\Program Files\Morpheus\My Shared Folder\Netbios Exploiter Xp.exe
    • C:\Program Files\Limewire\Shared\Credit Card Generator
    • C:\Program Files\Limewire\Shared\Crackologic(All Windows Apps).exe
    • C:\Program Files\Limewire\Shared\Lunix-Download.exe

      %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  5. Creates the following values:

    CyberWolf CyberWolf.exe
    Windows Systems Service %System%\Kernell32.exe
    Windows Kernell %System%\Dllhost.exe
    Dllhost %System%\msiexec.exe
    Windows Installer Service %System%\CyberWolf.exe

    in the registry key:


    so that the worm runs when you start Windows.
  6. Creates the value:

    CyberWolf "You are Biten"

    in the registry key:

  7. Attempts to delete all the files from these folders:
    • C:\Program Files\Common Files\Symantec Shared
    • C:\Program Files\Norton AntiVirus
  8. Attempts to delete all the .exe, .dll, .ocx, and .ini files.
  9. It attempts to terminate the following processes, using the Windows Management Instrumentation (WMI) object:
    • _Avp32.exe
    • Anti-trojan.exe
    • Aupdate.exe
    • Avp.exe
    • Avpcc.exe
    • Avpmon.exe
    • Blackice.exe
    • Bootwarn.exe
    • Ccapp.exe
    • Ccshtdwn.exe
    • Cfind.exe
    • Esafe.exe
    • Findviru.exe
    • Kpf.exe
    • Kpfw32.exe
    • Luall.exe
    • Navapw32.exe
    • Nmain.exe
    • Nupdate.exe
    • Qconsole.exe
    • Regedit.exe
    • Scan32.exe
    • Taskmgr.exe
    • Webscan.exe
    • Zapro.exe

  10. Displays this message:

    Fatal error in Windows Kernell

    Please allow a 10 MINUTES acces for windows to send an error report to microsoft in hope they solve this error This operation could take a few moments but it will help microsoft to make an Windows Update If a dialog is prompted from MS Outlook then please click the yes button to allow Windows to send the e-mail!
  11. Uses Microsoft Outlook to send itself to all the contacts that the worm finds in the Microsoft Outlook Address Book. The email is one of the following randomly chosen messages:

    Subject: EA and EIDOS Presents...
    Dear client
    Some information about our long-awaited product: CyberWolf
    CyberWolf is the newest product of Electronic Arts and Eidos Interactive!
    Its a complete new technology which actualy speeds up you're processor time needed to play game of EA and EIDOS
    Including FIFA 2003,BATTLEFIELD 1942,NHL2003,CM01/02 and all the other games produced by these companies!
    The technology behind these new product is something that clear's excisting ram when playing this game--->Results:
    The speed and graphical abilities are increased by 35%,so loading a new game wile go 35% faster!So more gameplay,less waiting and looking at that um screen!
    But it will take sometime for EA and EIDOS to alert all peoples who has EA and EIDOS games,but...
    They decided to mail the CyberWolf-Patch to users who have games from EA and EIDOS and to people who visited the website within the past 18 months!
    also they decided to mail this patch to workers in companies and to other people who are using the internet regulary
    If you want to enjoy this Speed-the-hell-out-ya-head-PATCH then just install the attachment,restart you're pc and start playing games or...
    wait until you buy a EA or EIDOS game,and enjoy it then!the choice is yours!
    Before i forget:This patch seems to work on other games as well,it speeds up those games by 15-30% depending on the game!
    This email is provided to you by PacketStorm,please enjoy our services
    This product may NOT be soled or copied!It may only be used by the intended recipient and this only for the purpose for which it has been sent
    If you are not the intended recipient,then please contact EA or EIDOS at EE-CyberWolf.patch@EA-EIDOS.com and delete this e-mail and attachement
    We believe and warrant that this e-mail and any attachments, are virus free,we take full responsibility about this attachment
    For more information please contact us at EE-CyberWolf.patch@EA-EIDOS.com or suft to www.EA.com/project\cyberwolf.htm and ww.eidos.com\cyberwolf.asp
    E-mail provided to you by Elena (Elena@EA-EIDOS.com)
    Attachment: CyberWolf-Patch.exe (34,816 bytes)

    Subject: PacketStorm:WINDOWS Xp has several exploits
    According to the redaction of PacketStorm
    Windows Xp has several exploits which could not be removed because
    if the do want to delete it then they should rewrite Kernell!
    but this would mean rewriting everything Micrsoft had build up over the last years'
    Bill Gates from microsoft reported that there is no exploit at all!,it was just a joke from a hacker
    attending to scar off windows XP users
    However the word goes around that allready several users and admins have been hacked by an mysterious hacker
    nicknamed 'The CyberWolf'
    if you want more information about this exploit and the exploit itself,then open the included e-mail
    do not forget to vote for PacktStorm when running the attachment,Enjoy the rest of our services
    This email is provided to you by PacketStorm,please enjoy our services
    Attachment: Windows Xp Exploit.exe (34,816 bytes)

    Subject: A Virtual joke...the funniest around!
    have you heard about the CyberWolf-Joke?
    its soooo funny you 'll laugh yourself a bunch when you see and hear the joke
    haha those little bastards on your screen are soooo funny:D:D
    just download and open the attached screensaver (The CyberWolf-Joke.scr = this is actually the joke) and look at it
    funny hu!!!
    after you have run the joke click ctrl+shift+p to see who made it.
    I hope you have fun with it

    This e-mail is presented to you by Joking-Soft,a division of MicroSoft.
    If you have any problems with this e-mail or attachment then please contact us.
    We take full responsability for this e-mail and attachements.
    They are virusfree and are property of Joking-Soft
    Please do not Sell or Distribute these atachments.
    I thank you
    Attachment: The CyberWolf-Joke.scr (34,816 bytes)

    Subject: A kiss from me to you...
    Dear User
    Someone has dropped a kiss in you're mailbox!
    Check-Out the attached Kiss from the anonymous person,probably a secret lover or a very good friend
    After you have been kissed please visit www.internetkiss.com and send this kiss to all the person who you adore or just like
    You are Nr.315723625 who has received this Internet-Kiss.
    This Internet-Kiss-Letter is started on 13/01/1997 and hopes to continue until 13/01/2007.
    Attachment: My Kiss for you.scr (34,816 bytes)
  12. Creates the value:

    CyberWolf "They are emailed"

    in the registry key:

  13. Attempts to change some mouse and keyboard parameters, such as the cursor blink rate or the character repeat delay.
  14. Changes the system parameters responsible for displaying the hidden files, extensions, and so on.
  15. Changes the Internet Explorer home page to http:/ /CyberWolf-has-bitten-you.com.
  16. May create a text file and print it on the default printer.
  17. May launch an infinite loop running several previously created copies of itself. This will lead to a memory space filling with processes that will consume the system resources.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Update the virus definitions.
  2. Restart the computer in Safe mode.
  3. Run a full system scan and delete all the files detected as W32.HLLW.Cydog@mm.
  4. Delete the values that the worm added to the registry.
For specific details on each of these steps, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain the virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate), in the "Protection" section, at the top of this writeup.
  • Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater), in the "Protection" section, at the top of this writeup.

    The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Restarting the computer in Safe mode
All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode ."

3. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.HLLW.Cydog@mm, click Delete.

4. Deleting the values from the registry

CAUTION : Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

  4. In the right pane, delete the value:

    Dir0 012345:<DownloadDir>\Windows Security Haches

  5. Navigate to and delete the following registry keys:

  6. Navigate to the key:

  7. In the right pane, delete the following values:

    CyberWolf CyberWolf.exe
    Windows Systems Service %System%\Kernell32.exe
    Windows Kernell %System%\Dllhost.exe
    Dllhost %System%\msiexec.exe
    Windows Installer Service %System%\CyberWolf.exe
  8. Exit the Registry Editor.

Writeup By: Serghei Sevcenco