Eyeveg.f
Summary
Eyeveg.f is a network worm with password stealing, backdoor capabilities and email spreading functionality.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
The worm is a Windows PE executable file 80384 bytes long.
Installation to system
When run, the worm installs itself to system. It copies its file to %SYSTEM% folder under a pseudo-random name. To ensure the worm is started next time the system is started a registry key is created:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "" = "%SYSTEM%\.exe"
where <pseudo_random_str> is a ASCII string that is generated by the worm depending on the local disk characteristics and %SYSTEM% is Windows System folder name.
It then drops a BHO (Browser Helper Object) DLL and registers it. The name of the BHO is also pseudo-random. The BHO is a spying trojan which collects various information and is usually activated automatically by Windows when Internet Explorer is started.
A third file is dropped. It is a ZIP archive that contains the main worm. The ZIP has on of the following names:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "" = "%SYSTEM%\.exe"
and contains the worm's body under one of the following names:
screensaver.scr song.wav.scr music.mp3.scr video.avi.scr photo.jpg.scr girls.jpg.scr pic.jpg.scr message.txt.scr image.jpg.scr news.doc.scr details.doc.scr resume.doc.scr love.jpg.scr readme.txt.scr
Spreading in email
Eyeveg.f has mass-mailing capabilities. It will collect email addresses from files with extensions:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "" = "%SYSTEM%\.exe"
The worm avoids sending messages to emails which contain the following strings:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "" = "%SYSTEM%\.exe"
Payload
The worm has functionality that allows it to:
- 1. Upload files to 'www.melaniecarroll.biz' server
- 2. Download files from 'www.melaniecarroll.biz' server
- 3. Find files
- 4. Copy files
- 5. Start files
- 6. Delete files
- 7. List files
- 8. Get system information
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.