Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Eyeveg.I is a typical mass-mailing e-mail worm, the size is 80384 bytes and the worm is runtime compressed / protected by UPX.

Installation and Autostart Techniques

Upon execution the worm copies itself into the Windows System folder.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"<worm filename without fileextension>" = "<worm filename with fileextension>"

It also tries to disable the firewall settings:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\EnableFirewall = "00000000 (DWORD)"

Then the worm creates another self-copy in the temp folder which will be moved as a .zip file into the windows system folder using one of the following names:

screensaver { many spaces } .scr
song.wav { many spaces } .scr
music.mp3 { many spaces } .scr
video.avi { many spaces } .scr
photo.jpg { many spaces } .scr
girls.jpg { many spaces } .scr
pic.jpg { many spaces } .scr
message.txt { many spaces } .scr
image.jpg { many spaces } .scr
news.doc { many spaces } .scr
details.doc { many spaces } .scr
resume.doc { many spaces } .scr
love.jpg { many spaces } .scr
readme.txt { many spaces } .scr

This created file will be "zipped" and later moved into the windows system folder with the same name as the base filename and the file extension ".zip".
The worm uses its own thread for this purpose.

The worm drops one malicious IESpy Browser Helper Object (BHO) with a random file name into the windows system folder. This component is detected as "Win32/Spy.Agent.AJ trojan". Then it creates another file with a randomly named DLL which stores all keystrokes of the compromised system, including names of used applications.

Note: This file is not malicious and therefore not detected.

E-mail harvesting

The worm scans all fixed disks and collects e-mail addresses out of files which match one of the following file extensions:

.sht .asp .htm .mbx .eml .tbb .dbx

E-mail Sender

The sender e-mail addresses are spoofed and may appear to be sent by a familiar source.
This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.

E-mail Subjects

The worm selects randomly an e-mail subject out of the following list:

screensaver
song
music
video
photo
girls
pic
message
image
news
details
resume
love
readme

E-mail Attachments

The worm attaches one of the following file names with a self-copy:

screensaver.zip
song.zip
music.zip
video.zip
photo.zip
girls.zip
pic.zip
message.zip
image.zip
news.zip
details.zip
resume.zip
love.zip
readme.zip

The worm avoids e-mail addresses which contain parts of the following list:

admin
hostmaster
messagelab
symantec
localdomain
localhostmcafee
postmaster
webmaster
spam
reports
noreply
recipients
abuse
microsoft
root

Other Details:

The worm tries to download files into the temp folder and tries to execute this file. However, during time of analysis, this file was no longer available on the webserver. The worm also seems to have a bug in its download routine for constructing the correct URL address according to the disassembly.p) a pok��a sa spusti� tento s�bor. Po�as anal�zy tento s�bor v�ak u� nebol dostupn� na webserveri. Pod�a rozkladu sa okrem toho zd�, �e �erv m� chybu vo svojej download routine pre vytv�ranie spr�vnej URL adresy.

Note: This threat was detected with heuristics.

© 1992-2005 Eset s.r.o. V�etky pr�va vyhraden�. �iadna �as� tejto encyklop�die nem��e by� reprodukovan�, pren�an� alebo inak pou�it� v akejko�vek forme alebo ak�mko�vek sp�sobom bez predch�dzaj�ceho s�hlasu.