Threat Description

Eyeveg.f

Details

Aliases:Worm.Win32.Eyeveg.f, W32/Eyeveg.H@mm, W32/Eyeveg.worm.gen, WORM_WURMARK.J
Category: Malware
Type:
Platform: W32

Summary



Eyeveg.f is a network worm with password stealing, backdoor capabilities and e-mail spreading functionality.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is a Windows PE executable file 80384 bytes long.

Installation to system

When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "<pseudo_random_str>" = "%SYSTEM%\<pseudo_random_str>.exe"

where &lt;pseudo_random_str&gt; is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.

It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.

A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names:

screensaver.zip
 song.zip
 music.zip
 video.zip
 photo.zip
 girls.zip
 pic.zip
 message.zip
 image.zip
 news.zip
 details.zip
 resume.zip
 love.zip
 readme.zip

and contains the worm's body under one of the following names:

screensaver<many_spaces>.scr
 song.wav<many_spaces>.scr
 music.mp3<many_spaces>.scr
 video.avi<many_spaces>.scr
 photo.jpg<many_spaces>.scr
 girls.jpg<many_spaces>.scr
 pic.jpg<many_spaces>.scr
 message.txt<many_spaces>.scr
 image.jpg<many_spaces>.scr
 news.doc<many_spaces>.scr
 details.doc<many_spaces>.scr
 resume.doc<many_spaces>.scr
 love.jpg<many_spaces>.scr
 readme.txt<many_spaces>.scr

Spreading in e-mail

Eyeveg.f has mass-mailing capabilities. It will collect e-mail addresses from files with extensions:

.SHT
 .ASP
 .HTM
 .MBX
 .EML
 .TBB
 .DBX

The worm avoids sending messages to e-mails which contain the following strings:

admin
 hostmaster
 messagelab
 symantec
 localdomain
 localhost
 mcafee
 postmaster
 webmaster
 spam
 reports
 noreply
 recipients
 abuse
 microsoft
 root

Payload

The worm has functionality that allows it to:

  • 1. Upload files to 'www.melaniecarroll.biz' server
  • 2. Download files from 'www.melaniecarroll.biz' server
  • 3. Find files
  • 4. Copy files
  • 5. Start files
  • 6. Delete files
  • 7. List files
  • 8. Get system information


Detection


Detection for this malware was published on May 12, 2005 in the following F-Secure Anti-Virus updates:
Detection Type: PC
Database: 2005-05-12_03



Description Created: Tzvetan Chaliavski, May 12, 2005;


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More