1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Eyeveg.f

Eyeveg.f

NAME:Eyeveg.f
ALIAS:Worm.Win32.Eyeveg.f, W32/Eyeveg.H@mm, W32/Eyeveg.worm.gen, WORM_WURMARK.J
SIZE:80384, 77824

Summary

Eyeveg.f is a network worm with password stealing, backdoor capabilities and e-mail spreading functionality

Additional Details

The worm is a Windows PE executable file 80384 bytes long.

Installation to system

When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created: 

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "<pseudo_random_str>" = "%SYSTEM%\<pseudo_random_str>.exe"


where <pseudo_random_str> is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.

It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.

A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names: 

 screensaver.zip
 song.zip
 music.zip
 video.zip
 photo.zip
 girls.zip
 pic.zip
 message.zip
 image.zip
 news.zip
 details.zip
 resume.zip
 love.zip
 readme.zip


and contains the worm's body under one of the following names: 

 screensaver<many_spaces>.scr
 song.wav<many_spaces>.scr
 music.mp3<many_spaces>.scr
 video.avi<many_spaces>.scr
 photo.jpg<many_spaces>.scr
 girls.jpg<many_spaces>.scr
 pic.jpg<many_spaces>.scr
 message.txt<many_spaces>.scr
 image.jpg<many_spaces>.scr
 news.doc<many_spaces>.scr
 details.doc<many_spaces>.scr
 resume.doc<many_spaces>.scr
 love.jpg<many_spaces>.scr
 readme.txt<many_spaces>.scr


Spreading in e-mail

Eyeveg.f has mass-mailing capabilities. It will collect e-mail addresses from files with extensions: 

 .SHT
 .ASP
 .HTM
 .MBX
 .EML
 .TBB
 .DBX


The worm avoids sending messages to e-mails which contain the following strings: 

 admin
 hostmaster
 messagelab
 symantec
 localdomain
 localhost
 mcafee
 postmaster
 webmaster
 spam
 reports
 noreply
 recipients
 abuse
 microsoft
 root


Payload

The worm has functionality that allows it to:

1. Upload files to 'www.melaniecarroll.biz' server

2. Download files from 'www.melaniecarroll.biz' server

3. Find files

4. Copy files

5. Start files

6. Delete files

7. List files

8. Get system information



Detection


Detection for this malware was published on May 12, 2005 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]
Version=2005-05-12_03

Write-up: Tzvetan Chaliavski, May 12, 2005;