Eyeveg.f is a network worm with password stealing, backdoor capabilities and e-mail spreading functionality.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The worm is a Windows PE executable file 80384 bytes long.
Installation to system
When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created:
" = "%SYSTEM%\ .exe"
where <pseudo_random_str> is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.
It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.
A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names:
screensaver.zip song.zip music.zip video.zip photo.zip girls.zip pic.zip message.zip image.zip news.zip details.zip resume.zip love.zip readme.zip
and contains the worm's body under one of the following names:
.scr song.wav .scr music.mp3 .scr video.avi .scr photo.jpg .scr girls.jpg .scr pic.jpg .scr message.txt .scr image.jpg .scr news.doc .scr details.doc .scr resume.doc .scr love.jpg .scr readme.txt .scr
Spreading in e-mail
Eyeveg.f has mass-mailing capabilities. It will collect e-mail addresses from files with extensions:
.SHT .ASP .HTM .MBX .EML .TBB .DBX
The worm avoids sending messages to e-mails which contain the following strings:
admin hostmaster messagelab symantec localdomain localhost mcafee postmaster webmaster spam reports noreply recipients abuse microsoft root
The worm has functionality that allows it to:
- 1. Upload files to 'www.melaniecarroll.biz' server
- 2. Download files from 'www.melaniecarroll.biz' server
- 3. Find files
- 4. Copy files
- 5. Start files
- 6. Delete files
- 7. List files
- 8. Get system information
Detection for this malware was published on May 12, 2005 in the following F-Secure
Detection Type: PC
Description Details: Tzvetan Chaliavski, May 12, 2005;