Threat Description

Eyeveg.M

Details

Category: Malware
Platform: W32
Aliases: Eyeveg.M, Eyeveg.M, Worm.Win32.Eyeveg.m, WORM_EYEVEG.C, Trojan-Spy.Win32.Iespy.g, W32/Eyeveg.worm, W32.Lanieca

Summary


Eyeveg.m is an e-mail worm that sends e-mails with URLs to its infected files that are located on different webservers. Some of those webservers were hacked to upload malware files. The malware files are located inside ZIP archives. The worm also has spying capabilities.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


When the worm's file is run, it copies itself to Windows System folder with a random name and creates a startup key for itself in the Registry. Then it drops a randomly-named spying component DLL file to the same folder. This DLL file is detected as ' Trojan-Spy.Win32.Iespy.g'.

Before spreading in e-mails the worm collects e-mail addresses. Files with the following extensions are scanned to harvest e-mail addresses:

.SHT  .ASP  .HTM  .MBX  .EML  .TBB  .DBX   

The worm ignores e-mail addresses that contain any of the following:

admin  virus  messagelab  symantec  microsoft  sophos  pandasoft  mcafee  postmaster  webmaster  alert  spam  report  noreply  recipients  abuse  trendmicro  root   

The worm sends e-mails with a URL to infected files. The subject can contain any of the following:

readme  love  resume  details  news  image  message  pic  girls  photo  video  music  song  screensaver   

The URL is composed from the below given domain names, the above given file names and a '.zip' ending.

africaplc.com  www.neptuncaffe.com  scheduleconsult.com  www.sismodular.com   

Currently ZIP archives with malware contain worm's executable files with double extension, for example:

readme.txt   [lots of spaces]   .scr   

The spying component steals POP3 and MSN e-mail account logins and passwords as well as lists of password-protected sites stored by Internet Explorer. Also the trojan keeps a log of every key that a user pressed. The stolen data is uploaded to the 'www.melaniecarroll.biz' website by using a webform.



Detection


F-Secure Anti-Virus detects this malware starting from the following update:

Detection Type: PC
Database: 2005-09-19_01



Technical Details:Alexey Podrezov, September 20th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More