Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Eyeveg.f


Aliases:


Worm.Win32.Eyeveg.f
W32/Eyeveg.H@mm
W32/Eyeveg.worm.gen
WORM_WURMARK.J

Malware

W32

Summary

Eyeveg.f is a network worm with password stealing, backdoor capabilities and e-mail spreading functionality.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm is a Windows PE executable file 80384 bytes long.


Installation to system

When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "<pseudo_random_str>" = "%SYSTEM%\<pseudo_random_str>.exe"


where &lt;pseudo_random_str&gt; is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.

It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.

A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names:

screensaver.zip
 song.zip
 music.zip
 video.zip
 photo.zip
 girls.zip
 pic.zip
 message.zip
 image.zip
 news.zip
 details.zip
 resume.zip
 love.zip
 readme.zip


and contains the worm's body under one of the following names:

screensaver<many_spaces>.scr
 song.wav<many_spaces>.scr
 music.mp3<many_spaces>.scr
 video.avi<many_spaces>.scr
 photo.jpg<many_spaces>.scr
 girls.jpg<many_spaces>.scr
 pic.jpg<many_spaces>.scr
 message.txt<many_spaces>.scr
 image.jpg<many_spaces>.scr
 news.doc<many_spaces>.scr
 details.doc<many_spaces>.scr
 resume.doc<many_spaces>.scr
 love.jpg<many_spaces>.scr
 readme.txt<many_spaces>.scr



Spreading in e-mail

Eyeveg.f has mass-mailing capabilities. It will collect e-mail addresses from files with extensions:

.SHT
 .ASP
 .HTM
 .MBX
 .EML
 .TBB
 .DBX


The worm avoids sending messages to e-mails which contain the following strings:

admin
 hostmaster
 messagelab
 symantec
 localdomain
 localhost
 mcafee
 postmaster
 webmaster
 spam
 reports
 noreply
 recipients
 abuse
 microsoft
 root



Payload

The worm has functionality that allows it to:

  • 1. Upload files to 'www.melaniecarroll.biz' server
  • 2. Download files from 'www.melaniecarroll.biz' server
  • 3. Find files
  • 4. Copy files
  • 5. Start files
  • 6. Delete files
  • 7. List files
  • 8. Get system information


Detection

Detection for this malware was published on May 12, 2005 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2005-05-12_03



Description Created: Tzvetan Chaliavski, May 12, 2005;



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.