Home / malwarePDF  

Win32.Worm.Eyeveg.M


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.Eyeveg.M.

Explanation :

This worm spreads by sending email messages inviting the unsuspicious users to download it from a website; it contains a keylogger, a backdoor and a separate ActiveX component detected as Trojan.Spy.Iespy.G.

The virus has a modular structure which is clearly the result of linking components written by different programmers; for example, some parts of the virus use Win32 API for file access while others use <cstdio> functions; one of the programmers is actually a noob - we can see a function returning a pointer to a local string. The code was compiled with Visual C++ and packed with a modified version of UPX.

The user gets an email in the following format:

From: real address of infected user sending the email or some forged address;

Subject: one of the following: "readme", "love", "resume", "details", "news", "image", "message", "pic", "girls", "photo", "video", "music", "song", "screensaver";

Body: http://{africaplc.com|www.neptuncaffe.com|scheduleconsult.com|www.sismodular.com}/{readme|love|resume|details|news|image|message|pic|girls|photo|video|music|song|screensaver}.zip

(the file name in the link is matched to the subject line).

The purpose of this email is the user clicking on the link and downloading a file containing the virus (or an updated version). At the time of this writing, an updated version of the virus can be downloaded from one of these locations (the file "readme.zip" contains a file called "readme.txt<many whitespaces>.scr"); this version is detected as Win32.Worm.Eyeveg.N; until the release today of a signature, it has been detected as Dropped:Trojan.Spy.Iespy.G using emulation (since 19 September).

When run, the virus uses a mutex called "_sjdfzxcrwbhsvb" to prevent multiple of itself from running. It calls RegisterServiceProcess in order to hide itself from the Task Manager on Win9x. It drops itself in the Windows system folder and creates an entry in the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key to run that copy at every start-up; it drops the embedded ActiveX component (Trojan.Spy.Iespy.G) and registers it as a Browser Helper Object (an extension of Internet Explorer); among other obscure actions, this component will record data entered by the user in forms in webpages.

The names of the files used by the virus (for example, the .exe dropped copy and the .dll Browser Helper Object) contain a few lower-case letters (different on every machine, depending on the hard disk drive serial number).

The virus creates a keylogger thread that records keystrokes and related window names in a text file with the ".dll" extension in the Windows system folder.

The main thread resumes execution with lowered priority; it creates a mass-mailing thread; this thread looks for files with the following substring in their names (in the current user's profile folder): ".dbx", ".tbb", ".eml", ".mbx", ".htm", ".asp", ".sht"; it gathers email addresses from those files and sends messages in the format described above; the "From" field is almost always forged with another harvested address.

The backdoor component of the virus includes the following functions (available to the owner of a website which it attempts to connect to):

- download files (to the system folder or another folder);
- run downloaded files or specified processes;
- delete files;
- report mass-mailing progress;
- list the contents of folders;
- collect information from the files within a specified folder and its subfolders (the first 1 KB of each file is appended to a temporary file which is POST-ed to a website);
- search for specified information within files;
- list processes and terminate specified processes;
- create and remove folders;
- disable firewall;
- report computer name, user name, Hotmail account information, data in Protected Storage (such as Internet Explorer remembered forms and passwords, Outlook Express account informations, MSN Explorer passwords), logged keystrokes, form information collected by the Browser Helper Object;
- copy a specified file to the Startup folder.

The website is www.melaniecarroll.biz.

Last update 21 November 2011

 

TOP