Home / malware Win32.Evaman.D@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Evaman.D@mm.
Explanation :
Technical description:
The worm comes by mail. The main executable has an Internet Explorer icon.
When run, it tries to open a web site at http://www.microsucks.com .
The worm opens a thread that scans every second for processes containg any of the strings:
task
msconfig
AV
MC
Av
Mc
av
mc
IEFrame
nti
iru
ire
cc
ecu
can
scn
KV
fr
and it terminates them.
The worm scans for email addresses and then send itself as an attachment.
The message subject is one of:
album
You've got a Virtual Postcard!
The message body:
my pics...*sexy*. Heheh! ;)
You have just received a new postcard from Flashecard.com!
To pick up your postcard follow this web address
http://www.flashecard.com.viewcard.main.ecard.php?2342
or click the attached link.
We hope you enjoy your postcard, and if you do, please
take a moment to send a few yourself!
http://www.flashecard.com
From:
(Your message will be available for 30 days.)
Please visit our site for more information.
The sender of the email is spoofed.
The message has an attachment with the name composed of the following items:
photos_album
www.flashecard.com?postcard=viewcard?download
followed by
.scr
.html.scr
In order to get addresses, the worm checks the Windows Address Book ( it gets the path from the registry)
and then scans for files with the following extensions:
txt
htmb
htmlb
shtl
phpq
emll
msgq
aspd
dbxn
tbbg
adbh
wab.
The worm avoids sending itself to the addreses that contain the following strings:
syma
msn
hotmail
anda
opho
borlan
npris
xample
mydom
@domai
ruslis
.gov
.mil
@foo
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm
oogle
kernel
linux
fido
senet
@iana
ripe
isi.e
arin.
rfc-ed
isc.o
ecur
acketst
pgp
tanford.e
utgers.ed
ample
info
root@
ostmaster@
ebmaster@
you
ugs@
ating@
ontact@
soft
rivacy
ervice
help
ubmit@
feste
cert
page
upport
ntivi
istser
ertific
ccoun
spm
Spam
SPAM
spam
abuse
cafee
@messagelab
@avp
kasp
winzip
winrar
pdate
irus
ahoo
buse@
saleLast update 21 November 2011