W32/Cycle-A

Please follow the instructions for removing worms.

Download and install the Microsoft patch mentioned above.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

You should also delete the following:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOST_SERVICE\

HKLM\SYSTEM\CurrentControlSet\Services\Host Service\

Close the registry editor.

W32/Cycle-A is a network worm which searches for unpatched computers on the Internet using randomly generated IP addresses.

These computers are vulnerable to the LSASS buffer overrun exploit which can permit a remote attacker to gain administrator privileges on the local computer.

For more information about this Windows vulnerability, please refer to the following Microsoft Security Bulletin:

Microsoft Security Bulletin MS04-011.

W32/Cycle-A will copy itself into the Windows System folder under the filename SVCHOST.EXE and create the following registry branches:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOST_SERVICE\

HKLM\SYSTEM\CurrentControlSet\Services\Host Service\

The second branch will contain the entry:
ImagePath = C:\<Windows System\SVCHOST.EXE

This will ensure that the worm is executed every time that the computer is restarted.

W32/Cycle-A will run a TFTP server on UDP Port 69 and when any target computers have been accessed, it will execute a remote shell and attempt to download a copy of itself from the TFTP server onto the remote computer using
the filename CYCLONE.EXE. This worm may then modify the following registry entry:

Generic Host Service = C:\<Windows System>\SVCHOST.EXE

Which may exist under the following registry branches on the target computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

W32/Cycle-A will also attempt to terminate processes associated with the W32/Blaster and W32/Sasser worms and may initiate a denial-of-service (DoS) attack against the following sites on the 18th May:

www.irna.com
www.bbc.com
www.isna.com
www.bbcnews.com

W32/Cycle-A will drop the file C:\<Windows>\CYCLONE.TXT. This is a message containing statements about the political and social situation in Iran, which reads as follows:

Hi,

My name is Cyclone and I live in Iran, and I want to speak with you about problems that we have in iran:

A.In Iran we don't have any kind of freedom, because we have islamic republic in iran:
1.we can't speak freely about regime, we can't speak even a little bit against them!!!
2.I have to be a moslem otherwise they don't care about me!
3.we CAN'T even wear the clothes and styles that we wants!
4.women MUST wear a cloth that no one can even see their hair!!!
5.they do not allow our national celebrations to be held, they beat us!!
6.Many more...
B.The human rights is not implemented in Iran and there is no justice,

1.Lynch is very common in Iran. If you are against the regime then you may silently killed, or if there is a tribunal, you can't say anything, everyone works against you there.
2.1985-1990, the Islamic Republic of IRAN has been killed more than 10,000 Iranian youngs. that has been comfirmed by the documentations! This people killed without any tribunal or any proof.
3.there is a punishment that is used so much during this years, in this punishment, the person who must be killed stand in a hole then others attack him with stones, this will continue until he/she dead. there is some pictures and videos that shows this terrible torture!
4.Many more...

C.Misery and poverty grows in Iran, because the islamic republic leaders steal the money, they stolen the money that provided by selling oil, and then the people must die because they don't have enough money to even buy a bread!!!
D.Misery and poverty cause vice to grow, you see many young people in Iran using drugs and I think this is also a trick by the government to not allow us to arise against them!
E.Islamic republic gave Iran a bad name. before islamic republic we can travel anywhere in the world without any problem but now we have so much problems if we want to travel a foreign country, anyone think that we are terrorist. THE PEOPLE OF IRAN ARE NOT TERRORIST, THE ISLAMIC REPUBLIC OF IRAN IS TERRORIST.

The people of Iran trying to arise, but failed to do. About one year ago, Iranian people try to say to the world that we don't need Islamic republic but the government and police beat the people who try to tell the truth and they killed some people. You see that they don't even care about their own people, think what happen if they gain access to an ATOMIC BOMB!!! it's very dangerous for the world.

With all of this conditions and injustices, european governments still support islamic republic, they say that they just care about their own country! and I want to show them our WRATH! All of the european people are my friends and I never want to harm them, just government and the Politicians!

If you protest against iraq war and say why there must be a war against iraq, and if you do this for humanity, please do anything that you can do for helping iranian people. at least make your country not to support islamic republic anymore, I'm deadly sure that if european countries do not support islamic republic. it will be destroyed after 3-6 months! so please help!

I don't want to damage, I just want my country to grow, to improve!!! I have no other way to tell this words to world, sorry!!