When run, the worm installs itself to system. It copies its file
with a random name to Windows System folder and creates a startup
key for this file in System Registry:
"<random_str>" = "%WinSysDir%\<random_str>.exe"
where <random_str> is a string of random ASCII characters and
%WinSysDir% is Windows System folder name.
Then the worm activates its local network spreading thread. First
it sleeps for some time and then enumerates network shares and
tries to copy itself to remote computers. The worm copies its
file as EXPLORE.EXE to startup folders of remote computers. When
those computers are restarted, the worm's file there will be
activated and the computers will become infected.
After that the worm starts another thread. It again waits for
some time and then enumerates cached passwords, reads proxy
server settings from the Registry and sends all this data to a
hacker by e-mail.
The worm has backdoor (hacker's remote access tool) capabilities.
A hacker can perform the following actions using the backdoor:
1. Upload files to 'www.melaniecarroll.biz' server
2. Download files from 'www.melaniecarroll.biz' server
3. Find files
4. Copy files
5. Start files
6. Delete files
7. List files
8. Get system information
During its operation the worm creates files with random names and
TMP extension in the temporary folder. These file names start
with '~' character.
Detection of Eyeveg worm was added in the following updates:
Alexey Podrezov; 9th of September, 2003;