McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Win32.HLLW.Eyeveg (DrWeb)

Characteristics

This variant of W32/Eyeveg.worm contains network sharing, backdoor and password stealing capabilities.

When run, the worm copies itself to the Windows System directory (%SYSDIR%) using a random file name. It creates the following registry key in order to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "random string" = "%SYSDIR%\(random filename).exe"

The worm periodically connects to the following website on port 2334:

• www.melaniecarroll.biz

The port is left open for remote access, where the following functions may be performed:

• download file
• execute program
• copy/delete/find file
• retrieve system information

Symptoms

• Existence of the registry key and filenames mentioned above
• Port 2334 open

Method of Infection

The worm can spread via network shares

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Win32.HLLW.Eyeveg (DrWeb)

Characteristics

Characteristics -

This variant of W32/Eyeveg.worm contains network sharing, backdoor and password stealing capabilities.

When run, the worm copies itself to the Windows System directory (%SYSDIR%) using a random file name. It creates the following registry key in order to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "random string" = "%SYSDIR%\(random filename).exe"

The worm periodically connects to the following website on port 2334:

• www.melaniecarroll.biz

The port is left open for remote access, where the following functions may be performed:

• download file
• execute program
• copy/delete/find file
• retrieve system information

Symptoms

Symptoms -

• Existence of the registry key and filenames mentioned above
• Port 2334 open

Method of Infection

Method of Infection -

The worm can spread via network shares

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A