English
Deutsch
Français
Español
Italiano
Home
Virus Info
Worm/Eyeveg.K
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
Worm/Eyeveg.K - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Eyeveg.K
Date discovered:
06/09/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
58.880 Bytes
MD5 checksum:
0c727229149436faa464059e9271ecfa
VDF version:
6.31.1.226
Heuristic:
Heuristic/Backdoor.Generic
General
Method of propagation:
• Email
Aliases:
• Mcafee: W32/Eyeveg.worm.gen
• Kaspersky: Worm.Win32.Eyeveg.k
• TrendMicro: WORM_WURMARK.O
• F-Secure: UNKNOWN VIRUS
• VirusBuster: Worm.Eyeveg.G1
• Eset: Win32/Eyeveg.P
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows 2000
• Windows XP
Side effects:
• Records keystrokes
• Registry modification
• Steals information
Files
It copies itself to the following location:
•
%SYSDIR%
\
%random character string%
.exe
It drops a copy of itself using a filename from a list:
– To:
%SYSDIR%
\ Using one of the following names:
• screensaver.zip
• song.zip
• music.zip
• video.zip
• photo.zip
• girls.zip
• pic.zip
• message.zip
• image.zip
• news.zip
• details.zip
• resume.zip
• love.zip
• readme.zip
The archive contains a copy of the malware itself.
The following files are created:
– Temporary files that might be deleted afterwards:
•
%TEMPDIR%
\
%random character string%
.tmp
•
%TEMPDIR%
\
%random character string%
.tmp
–
%SYSDIR%
\
%random character string%
.dll
–
%SYSDIR%
\
%random character string%
.dll This file contains collected keystrokes.
It tries to download a file:
– The location is the following:
• www.melanie**********.biz/cb
At the time of writing this file was not online for further investigation.
Registry
The following registry key is added in order to run the process after reboot:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "
%random character string%
"="
%random character string%
.exe"
Email
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
From:
The sender address is the user's Outlook account.
To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
Subject:
One of the following:
• screensaver
• song
• music
• video
• photo
• girls
• pic
• message
• image
• news
• details
• resume
• love
• readme
Body:
– The body is empty.
Attachment:
The filename of the attachment is one of the following:
• screensaver.zip
• song.zip
• music.zip
• video.zip
• photo.zip
• girls.zip
• pic.zip
• message.zip
• image.zip
• news.zip
• details.zip
• resume.zip
• love.zip
• readme.zip
The attachment is a copy of the malware itself.
The email looks like the following:
Mailing
Search addresses:
It searches the following files for email addresses:
• .ASP
• .DBX
• .EML
• .HTM
• .MBX
• .SHT
• .TBB
Avoid addresses:
It does not send emails to addresses containing one of the following strings:
• abuse; admin; alert; localdomain; mcafee; messagelab; noreply;
pandasoft; postmaster; recipients; report; root; sophos; spam;
symantec; trendmicro; virus; webmaster
Backdoor
Contact server:
The following:
• www.melanie**********.biz/n2.php
As a result it may send information and remote control could be provided. This is done via the HTTP POST method using a PHP script.
The servers answer is written to the file:
%home%
\Local Settings\Temp \%random characters%.tmp
Sends information about:
• Cached passwords
• Information about the network
• Username
• Users' local activity
• Windows directory
• Information about the Windows operating system
Remote control capabilities:
• Download file
• Execute file
• Kill process
• Send emails
• Upload file
Stealing
It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts
– The password from the following program:
• OutlookExpress
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Irina Boldea on Tue, 06 Sep 2005 09:21 (GMT+1)
Description updated by Irina Boldea on Wed, 14 Sep 2005 10:48 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info Worm/Eyeveg.K
Print this page
.gif)
