Virus:Worm/Eyeveg.K
Date discovered:06/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:58.880 Bytes
MD5 checksum:0c727229149436faa464059e9271ecfa
VDF version:6.31.1.226
Heuristic:Heuristic/Backdoor.Generic

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Eyeveg.worm.gen
   •  Kaspersky: Worm.Win32.Eyeveg.k
   •  TrendMicro: WORM_WURMARK.O
   •  F-Secure: UNKNOWN VIRUS
   •  VirusBuster: Worm.Eyeveg.G1
   •  Eset: Win32/Eyeveg.P


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Side effects:
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\%random character string%.exe



It drops a copy of itself using a filename from a list:
– To: %SYSDIR%\ Using one of the following names:
   • screensaver.zip
   • song.zip
   • music.zip
   • video.zip
   • photo.zip
   • girls.zip
   • pic.zip
   • message.zip
   • image.zip
   • news.zip
   • details.zip
   • resume.zip
   • love.zip
   • readme.zip

The archive contains a copy of the malware itself.



The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\%random character string%.tmp
   • %TEMPDIR%\%random character string%.tmp

%SYSDIR%\%random character string%.dll
%SYSDIR%\%random character string%.dll This file contains collected keystrokes.



It tries to download a file:

– The location is the following:
   • www.melanie**********.biz/cb
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "%random character string%"="%random character string%.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • screensaver
   • song
   • music
   • video
   • photo
   • girls
   • pic
   • message
   • image
   • news
   • details
   • resume
   • love
   • readme



Body:
– The body is empty.

 


Attachment:
The filename of the attachment is one of the following:
   • screensaver.zip
   • song.zip
   • music.zip
   • video.zip
   • photo.zip
   • girls.zip
   • pic.zip
   • message.zip
   • image.zip
   • news.zip
   • details.zip
   • resume.zip
   • love.zip
   • readme.zip

The attachment is a copy of the malware itself.



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • .ASP
   • .DBX
   • .EML
   • .HTM
   • .MBX
   • .SHT
   • .TBB


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • abuse; admin; alert; localdomain; mcafee; messagelab; noreply;
      pandasoft; postmaster; recipients; report; root; sophos; spam;
      symantec; trendmicro; virus; webmaster

 Backdoor Contact server:
The following:
   • www.melanie**********.biz/n2.php

As a result it may send information and remote control could be provided. This is done via the HTTP POST method using a PHP script.
The servers answer is written to the file: %HOME%\Local Settings\Temp \%random characters%.tmp


Sends information about:
    • Cached passwords
    • Information about the network
    • Username
    • Users' local activity
    • Windows directory
    • Information about the Windows operating system


Remote control capabilities:
    • Download file
    • Execute file
    • Kill process
    • Send emails
    • Upload file

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– The password from the following program:
   • OutlookExpress

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Irina Boldea on Tuesday, September 6, 2005
Description updated by Irina Boldea on Wednesday, September 14, 2005

Back . . . .