Threat Description

Eyeveg

Details

Aliases: Eyeveg, W32/Lorac.A, W32/Eyeveg, Worm.Win32.Eyeveg
Category: Malware
Type: Worm
Platform: W32

Summary



Eyeveg is a network worm with password stealing and backdoor capabilities.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When run, the worm installs itself to system. It copies its file with a random name to Windows System folder and creates a startup key for this file in System Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "<random_str>" = "%WinSysDir%\<random_str>.exe"


where &lt;random_str&gt; is a string of random ASCII characters and %WinSysDir% is Windows System folder name.

Then the worm activates its local network spreading thread. First it sleeps for some time and then enumerates network shares and tries to copy itself to remote computers. The worm copies its file as EXPLORE.EXE to startup folders of remote computers. When those computers are restarted, the worm's file there will be activated and the computers will become infected.

After that the worm starts another thread. It again waits for some time and then enumerates cached passwords, reads proxy server settings from the Registry and sends all this data to a hacker by e-mail.

The worm has backdoor (hacker's remote access tool) capabilities. A hacker can perform the following actions using the backdoor:

  • 1. Upload files to 'www.melaniecarroll.biz' server
  • 2. Download files from 'www.melaniecarroll.biz' server
  • 3. Find files
  • 4. Copy files
  • 5. Start files
  • 6. Delete files
  • 7. List files
  • 8. Get system information

During its operation the worm creates files with random names and TMP extension in the temporary folder. These file names start with '~' character.



Detection


Detection of Eyeveg worm was added in the following updates:
Detection Type: PC
Database: 2003-08-27_03



Technical Details: Alexey Podrezov; 9th of September, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More