Threat Description



Category: Malware
Platform: W32
Aliases: Worm.Win32.Eyeveg.f, W32/Eyeveg.H@mm, W32/Eyeveg.worm.gen, WORM_WURMARK.J


Eyeveg.f is a network worm with password stealing, backdoor capabilities and e-mail spreading functionality.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm is a Windows PE executable file 80384 bytes long.

Installation to system

When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]  "" = "%SYSTEM%\.exe"   

where <pseudo_random_str> is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.

It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.

A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names:   

and contains the worm's body under one of the following names:

screensaver.scr  song.wav.scr  music.mp3.scr  video.avi.scr  photo.jpg.scr  girls.jpg.scr  pic.jpg.scr  message.txt.scr  image.jpg.scr  news.doc.scr  details.doc.scr  resume.doc.scr  love.jpg.scr  readme.txt.scr   
Spreading in e-mail

Eyeveg.f has mass-mailing capabilities. It will collect e-mail addresses from files with extensions:

.SHT  .ASP  .HTM  .MBX  .EML  .TBB  .DBX   

The worm avoids sending messages to e-mails which contain the following strings:

admin  hostmaster  messagelab  symantec  localdomain  localhost  mcafee  postmaster  webmaster  spam  reports  noreply  recipients  abuse  microsoft  root   

The worm has functionality that allows it to:

  • 1. Upload files to '' server
  • 2. Download files from '' server
  • 3. Find files
  • 4. Copy files
  • 5. Start files
  • 6. Delete files
  • 7. List files
  • 8. Get system information


Detection for this malware was published on May 12, 2005 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2005-05-12_03

Description Details: Tzvetan Chaliavski, May 12, 2005;


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More