Content

W32/Evaman@MM

Type
Virus
SubType
Email Worm
Discovery Date
07/05/2004
Length
14,848 bytes
Minimum DAT
4373 (07/05/2004)
Updated DAT
4373 (07/05/2004)
Minimum Engine
5.1.00
Description Added
07/04/2004
Description Modified
07/05/2004 6:21 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Update 5th July 2004--
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.news.com.au/common/story_page/0,4057,10046398%255E15306,00.html

--

This is a new mass-mailing worm that launches notepad.exe when executed.

The following smtp servers are used for sending the email:

  • smtp.mail.yahoo.com
  • smtp.rcn.com
  • outgoing.verizon.net
  • smtp.comcast.net
  • mail.mindspring.com
  • smtp.email.msn.com
  • smtpauth.earthlink.net
  • smtp-server.nc.rr.com
  • smtp1.attglobal.net
  • mailhost.att.net
  • mail.optonline.net
  • mail.peoplepc.com
  • smtpout.bellatlantic.net
  • mail.verio.net
  • smtp.netzero.net
  • smtp.prodigy.net

Performs a people search in the location email.people.yahoo.com using the following user names to obtain an email address to send itself to.

  • Mike
  • Jennifer
  • David
  • Linda
  • Susan
  • Nancy
  • Pamela
  • Eric
  • Kevin
  • Mary
  • Jessica
  • Patricia
  • Barbara
  • Karen
  • Sarah
  • Robert
  • John
  • Daniel
  • Jason
  • Joe

The email arrives in the following format:

Subject:

  • returned mail
  • failure delivery
  • failed transaction
  • server error
  • mail failure
  • Delivery Status (Failure)

Body:

  • This is an automatically generated Delivery Status Notification.
    Delivery to last recipient failed.
    Email returned as attachment text file.
  • Message from Mail Delivery Server.
    Unable to deliver message to last recipient.
    Email returned as text file.
  • Email returned by the server as ASCII Text mail file.
    To read the email download the included attachment.
  • Mail Server Notice:
    Last email sent could not reach intented destination.
    Email returned as ASCII text file.
  • The last email sent by this account could not reach intended destination.
    Email has been returned as text file attachment.
  • Mail Delivery Status Notification:
    Message returned by server. Message returned as text file attachment.

Attachment: (any of the following filenames and extensions)

  • body
  • message
  • email
  • returned
  • text
  • document
  • *.scr
  • *.txt.scr
  • *.html.scr
  • outlook.scrtxt.exe

Symptoms

Creates the following registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Explorer\Wintasks
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\Wintasks

The worm is copied to the %WINDIR%\System32 directory as:

  • wintasks.exe

(where %WINDIR% is C:\windows or C:\winnt)

The following registry hooks are added to run the worm at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "wintasks.exe" = %WINDIR%\System32\wintasks.exe

Method of Infection

  • This worm arrives through email. When the infected email attachment is run, the worm sends itself to other email addresses.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Evaman@mm (Symantec)
  • W32/Evaman-A (Sophos)

Characteristics

Characteristics -

--Update 5th July 2004--
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.news.com.au/common/story_page/0,4057,10046398%255E15306,00.html

--

This is a new mass-mailing worm that launches notepad.exe when executed.

The following smtp servers are used for sending the email:

  • smtp.mail.yahoo.com
  • smtp.rcn.com
  • outgoing.verizon.net
  • smtp.comcast.net
  • mail.mindspring.com
  • smtp.email.msn.com
  • smtpauth.earthlink.net
  • smtp-server.nc.rr.com
  • smtp1.attglobal.net
  • mailhost.att.net
  • mail.optonline.net
  • mail.peoplepc.com
  • smtpout.bellatlantic.net
  • mail.verio.net
  • smtp.netzero.net
  • smtp.prodigy.net

Performs a people search in the location email.people.yahoo.com using the following user names to obtain an email address to send itself to.

  • Mike
  • Jennifer
  • David
  • Linda
  • Susan
  • Nancy
  • Pamela
  • Eric
  • Kevin
  • Mary
  • Jessica
  • Patricia
  • Barbara
  • Karen
  • Sarah
  • Robert
  • John
  • Daniel
  • Jason
  • Joe

The email arrives in the following format:

Subject:

  • returned mail
  • failure delivery
  • failed transaction
  • server error
  • mail failure
  • Delivery Status (Failure)

Body:

  • This is an automatically generated Delivery Status Notification.
    Delivery to last recipient failed.
    Email returned as attachment text file.
  • Message from Mail Delivery Server.
    Unable to deliver message to last recipient.
    Email returned as text file.
  • Email returned by the server as ASCII Text mail file.
    To read the email download the included attachment.
  • Mail Server Notice:
    Last email sent could not reach intented destination.
    Email returned as ASCII text file.
  • The last email sent by this account could not reach intended destination.
    Email has been returned as text file attachment.
  • Mail Delivery Status Notification:
    Message returned by server. Message returned as text file attachment.

Attachment: (any of the following filenames and extensions)

  • body
  • message
  • email
  • returned
  • text
  • document
  • *.scr
  • *.txt.scr
  • *.html.scr
  • outlook.scrtxt.exe

Symptoms

Symptoms -

Creates the following registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Explorer\Wintasks
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\Wintasks

The worm is copied to the %WINDIR%\System32 directory as:

  • wintasks.exe

(where %WINDIR% is C:\windows or C:\winnt)

The following registry hooks are added to run the worm at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run "wintasks.exe" = %WINDIR%\System32\wintasks.exe

Method of Infection

Method of Infection -

  • This worm arrives through email. When the infected email attachment is run, the worm sends itself to other email addresses.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A