Eyeveg.m is an email worm that sends emails with URLs to its infected files that are located on different webservers. Some of those webservers were hacked to upload malware files. The malware files are located inside ZIP archives. The worm also has spying capabilities.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
When the worm's file is run, it copies itself to Windows System folder with a random name and creates a startup key for itself in the Registry. Then it drops a randomly-named spying component DLL file to the same folder. This DLL file is detected as ' Trojan-Spy.Win32.Iespy.g'.
Before spreading in emails the worm collects email addresses. Files with the following extensions are scanned to harvest email addresses:
.SHT .ASP .HTM .MBX .EML .TBB .DBX
The worm ignores email addresses that contain any of the following:
admin virus messagelab symantec microsoft sophos pandasoft mcafee postmaster webmaster alert spam report noreply recipients abuse trendmicro root
The worm sends emails with a URL to infected files. The subject can contain any of the following:
readme love resume details news image message pic girls photo video music song screensaver
The URL is composed from the below given domain names, the above given file names and a '.zip' ending.
africaplc.com www.neptuncaffe.com scheduleconsult.com www.sismodular.com
Currently ZIP archives with malware contain worm's executable files with double extension, for example:
readme.txt [lots of spaces] .scr
The spying component steals POP3 and MSN email account logins and passwords as well as lists of password-protected sites stored by Internet Explorer. Also the trojan keeps a log of every key that a user pressed. The stolen data is uploaded to the 'www.melaniecarroll.biz' website by using a webform.
Date Created: -
Date Last Modified: -