Eyeveg.M

Classification

Malware

-

-

Eyeveg.M, Eyeveg.M, Worm.Win32.Eyeveg.m, WORM_EYEVEG.C, Trojan-Spy.Win32.Iespy.g, W32/Eyeveg.worm, W32.Lanieca

Summary

Eyeveg.m is an email worm that sends emails with URLs to its infected files that are located on different webservers. Some of those webservers were hacked to upload malware files. The malware files are located inside ZIP archives. The worm also has spying capabilities.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

When the worm's file is run, it copies itself to Windows System folder with a random name and creates a startup key for itself in the Registry. Then it drops a randomly-named spying component DLL file to the same folder. This DLL file is detected as ' Trojan-Spy.Win32.Iespy.g'.

Before spreading in emails the worm collects email addresses. Files with the following extensions are scanned to harvest email addresses:

.SHT
.ASP
.HTM
.MBX
.EML
.TBB
.DBX
 

The worm ignores email addresses that contain any of the following:

admin
virus
messagelab
symantec
microsoft
sophos
pandasoft
mcafee
postmaster
webmaster
alert
spam
report
noreply
recipients
abuse
trendmicro
root
 

The worm sends emails with a URL to infected files. The subject can contain any of the following:

readme
love
resume
details
news
image
message
pic
girls
photo
video
music
song
screensaver
 

The URL is composed from the below given domain names, the above given file names and a '.zip' ending.

africaplc.com
www.neptuncaffe.com
scheduleconsult.com
www.sismodular.com
 

Currently ZIP archives with malware contain worm's executable files with double extension, for example:

readme.txt
 [lots of spaces]
 .scr
 

The spying component steals POP3 and MSN email account logins and passwords as well as lists of password-protected sites stored by Internet Explorer. Also the trojan keeps a log of every key that a user pressed. The stolen data is uploaded to the 'www.melaniecarroll.biz' website by using a webform.