Eyeveg.f is a network worm with password stealing, backdoor capabilities and e-mail spreading functionality.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The worm is a Windows PE executable file 80384 bytes long.
Installation to system
When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "<pseudo_random_str>" = "%SYSTEM%\<pseudo_random_str>.exe"
where <pseudo_random_str> is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.
It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.
A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names:
screensaver.zip song.zip music.zip video.zip photo.zip girls.zip pic.zip message.zip image.zip news.zip details.zip resume.zip love.zip readme.zip
and contains the worm's body under one of the following names:
screensaver<many_spaces>.scr song.wav<many_spaces>.scr music.mp3<many_spaces>.scr video.avi<many_spaces>.scr photo.jpg<many_spaces>.scr girls.jpg<many_spaces>.scr pic.jpg<many_spaces>.scr message.txt<many_spaces>.scr image.jpg<many_spaces>.scr news.doc<many_spaces>.scr details.doc<many_spaces>.scr resume.doc<many_spaces>.scr love.jpg<many_spaces>.scr readme.txt<many_spaces>.scr
Spreading in e-mail
Eyeveg.f has mass-mailing capabilities. It will collect e-mail addresses from files with extensions:
.SHT .ASP .HTM .MBX .EML .TBB .DBX
The worm avoids sending messages to e-mails which contain the following strings:
admin hostmaster messagelab symantec localdomain localhost mcafee postmaster webmaster spam reports noreply recipients abuse microsoft root
The worm has functionality that allows it to:
- 1. Upload files to 'www.melaniecarroll.biz' server
- 2. Download files from 'www.melaniecarroll.biz' server
- 3. Find files
- 4. Copy files
- 5. Start files
- 6. Delete files
- 7. List files
- 8. Get system information
Detection for this malware was published on May 12, 2005 in the following F-Secure
Detection Type: PC
Description Created: Tzvetan Chaliavski, May 12, 2005;