Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

You are here:ThreatsVirus and threats descriptionsEyeveg.M

Eyeveg.M


Aliases:

Eyeveg.M
Eyeveg.M
Worm.Win32.Eyeveg.m, WORM_EYEVEG.C, Trojan-Spy.Win32.Iespy.g
W32/Eyeveg.worm, W32.Lanieca

Malware

W32

Summary

Eyeveg.m is an e-mail worm that sends e-mails with URLs to its infected files that are located on different webservers. Some of those webservers were hacked to upload malware files. The malware files are located inside ZIP archives. The worm also has spying capabilities.



Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When the worm's file is run, it copies itself to Windows System folder with a random name and creates a startup key for itself in the Registry. Then it drops a randomly-named spying component DLL file to the same folder. This DLL file is detected as ' Trojan-Spy.Win32.Iespy.g'.

Before spreading in e-mails the worm collects e-mail addresses. Files with the following extensions are scanned to harvest e-mail addresses: 

.SHT
 .ASP
 .HTM
 .MBX
 .EML
 .TBB
 .DBX

The worm ignores e-mail addresses that contain any of the following: 

admin
 virus
 messagelab
 symantec
 microsoft
 sophos
 pandasoft
 mcafee
 postmaster
 webmaster
 alert
 spam
 report
 noreply
 recipients
 abuse
 trendmicro
 root

The worm sends e-mails with a URL to infected files. The subject can contain any of the following: 

readme
 love
 resume
 details
 news
 image
 message
 pic
 girls
 photo
 video
 music
 song
 screensaver

The URL is composed from the below given domain names, the above given file names and a '.zip' ending. 

africaplc.com
 www.neptuncaffe.com
 scheduleconsult.com
 www.sismodular.com

Currently ZIP archives with malware contain worm's executable files with double extension, for example: 

readme.txt   <lots of spaces>   .scr

The spying component steals POP3 and MSN e-mail account logins and passwords as well as lists of password-protected sites stored by Internet Explorer. Also the trojan keeps a log of every key that a user pressed. The stolen data is uploaded to the 'www.melaniecarroll.biz' website by using a webform.



Detection

F-Secure Anti-Virus detects this malware starting from the following update:

Detection Type: PC
Database: 2005-09-19_01




Technical Details: Alexey Podrezov, September 20th, 2005



Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



Submit

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.



Go to Community