Content

W32/Evaman.c@MM

Type
Virus
SubType
E-mail
Discovery Date
08/03/2004
Length
21,504 bytes (UPX)
Minimum DAT
4383 (08/04/2004)
Updated DAT
4385 (08/11/2004)
Minimum Engine
5.1.00
Description Added
08/03/2004
Description Modified
08/04/2004 2:10 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update August 4, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at::
 http://news.zdnet.co.uk/business/legal/0,39020651,39162570,00.htm
--

This mass-mailing virus arrives as an email attachment with the following characteristics:

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

  • barbara
  • daniel
  • david
  • eric
  • jason
  • jennifer
  • jessica
  • joe
  • john
  • karen
  • kevin
  • linda
  • mary
  • mike
  • nancy
  • pamela
  • patricia
  • robert
  • sarah
  • susan

Subject: (one of the following)

  • Delivery Status (Secure)
  • failed transaction
  • Re: Extended Mail
  • Re: hello (Secure-Mail)
  • Re: Server Reply
  • Secure delivery
  • SN: New secure mail
  • SN: Server Status

Body: (varies, such as)

Part 1

  • domain  :: Automatically Secure Delivery: for email address
  • domain  :: Mail Delivery Server System: for email address
  • domain  :: Extended secure mail message available at: email address
  • domain  :: Secure Mail Server Notification: for email address
  • domain  :: New mail secure method implement: for email address

Part 2

  • New policy requested by mail server to returned mail
    as a secure compiled attachment (Zip).
  • Now a new message is available as secure Zip file format.
    Due to new policies on clients.
  • This message is available as a secure Zip file format
    due to a new security policy.
  • For security measures this message has been packed as Zip format.
    This is a newly added security feature.
  • New policy recommends to enclose all messages as Zip format.
    Your message is available in this server notice.
  • You have received a message that implements secure delivery technology.
    Message available as a secure Zip file.

Part 3

  • This message is an automatically server notice
    from Administration at domain
  • Server Notice: New security feature added. MSG:ID: 455sec86
    from domain
  • New feature added for security reasons
    from domain
  • Automatically server notice:,
    Server reply from domain
  • New service policy for security added from domain

Attachment: (one of the following)

  • attachment
  • document
  • file
  • mail
  • message
  • readme
  • text
  • transcript

Followed by one of the following

  • .zip
  • .exe
  • -txt.exe
  • -htm.exe
  • -txt.scr

When the attachment is manually executed, the virus will run Notepad.

The virus copies itself to the WINDOWS SYSTEM (such as c:\Windows\System32) directory as winlibs.exe , and creates a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "winlibs.exe" = C:\WINDOWS\System32\winlibs.exe

Additionally, the following registry keys are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs

The virus extracts e-mail addresses from the local system by analyzing files that contain the following extensions:

  • adb
  • asp
  • cfg
  • dbx
  • dhtm
  • eml
  • htm
  • html
  • js
  • jse
  • jsp
  • mmf
  • msg
  • ods
  • php
  • pl
  • sht
  • shtm
  • shtml
  • tbb
  • txt
  • wab
  • xml

The virus also queries Yahoo for additional recipient addresses.

Additionally, the virus avoids email addresses containing the following strings:

  • .edu
  • .gov
  • .mil
  • @MM
  • @mm
  • 32.
  • ample
  • arsoft
  • ating
  • avp
  • Bug
  • bug
  • buse
  • cafee
  • ccoun
  • cribe
  • CRIBE
  • dmin
  • ebmast
  • ecur
  • eport
  • eturn
  • gmail
  • help
  • ibm
  • ICROSOFT
  • icrosoft
  • inpris
  • inrar
  • inux
  • inzip
  • irus
  • ists
  • list
  • msdn
  • msn
  • nfo
  • ntivi
  • omain
  • omment
  • ompu
  • oogle
  • oot
  • opho
  • orton
  • otmail
  • panda
  • pdate
  • persk
  • rend
  • ruslis
  • Sale
  • sale
  • sarc
  • senet
  • soft
  • spam
  • Spam
  • SPAM
  • ugs
  • umit
  • upport
  • user
  • USER
  • ware
  • win
  • ymant
  • YOU
  • you

Symptoms

Presence of the file winlibs.exe in the WINDOWS SYSTEM32 directory and registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "winlibs.exe" = C:\WINDOWS\System32\winlibs.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs

Method of Infection

This virus spreads via email.  Users must choose to open the attachment in order to become infected.  Once infected, the compromised system is used to propagate the virus further by sending infected messages to address found on the local system and the web.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Mydoom.o (AVP)
  • W32/Mydoom.q@MM
  • WORM_MYDOOM.O (Trend)

Characteristics

Characteristics -

-- Update August 4, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at::
 http://news.zdnet.co.uk/business/legal/0,39020651,39162570,00.htm
--

This mass-mailing virus arrives as an email attachment with the following characteristics:

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

  • barbara
  • daniel
  • david
  • eric
  • jason
  • jennifer
  • jessica
  • joe
  • john
  • karen
  • kevin
  • linda
  • mary
  • mike
  • nancy
  • pamela
  • patricia
  • robert
  • sarah
  • susan

Subject: (one of the following)

  • Delivery Status (Secure)
  • failed transaction
  • Re: Extended Mail
  • Re: hello (Secure-Mail)
  • Re: Server Reply
  • Secure delivery
  • SN: New secure mail
  • SN: Server Status

Body: (varies, such as)

Part 1

  • domain  :: Automatically Secure Delivery: for email address
  • domain  :: Mail Delivery Server System: for email address
  • domain  :: Extended secure mail message available at: email address
  • domain  :: Secure Mail Server Notification: for email address
  • domain  :: New mail secure method implement: for email address

Part 2

  • New policy requested by mail server to returned mail
    as a secure compiled attachment (Zip).
  • Now a new message is available as secure Zip file format.
    Due to new policies on clients.
  • This message is available as a secure Zip file format
    due to a new security policy.
  • For security measures this message has been packed as Zip format.
    This is a newly added security feature.
  • New policy recommends to enclose all messages as Zip format.
    Your message is available in this server notice.
  • You have received a message that implements secure delivery technology.
    Message available as a secure Zip file.

Part 3

  • This message is an automatically server notice
    from Administration at domain
  • Server Notice: New security feature added. MSG:ID: 455sec86
    from domain
  • New feature added for security reasons
    from domain
  • Automatically server notice:,
    Server reply from domain
  • New service policy for security added from domain

Attachment: (one of the following)

  • attachment
  • document
  • file
  • mail
  • message
  • readme
  • text
  • transcript

Followed by one of the following

  • .zip
  • .exe
  • -txt.exe
  • -htm.exe
  • -txt.scr

When the attachment is manually executed, the virus will run Notepad.

The virus copies itself to the WINDOWS SYSTEM (such as c:\Windows\System32) directory as winlibs.exe , and creates a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "winlibs.exe" = C:\WINDOWS\System32\winlibs.exe

Additionally, the following registry keys are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs

The virus extracts e-mail addresses from the local system by analyzing files that contain the following extensions:

  • adb
  • asp
  • cfg
  • dbx
  • dhtm
  • eml
  • htm
  • html
  • js
  • jse
  • jsp
  • mmf
  • msg
  • ods
  • php
  • pl
  • sht
  • shtm
  • shtml
  • tbb
  • txt
  • wab
  • xml

The virus also queries Yahoo for additional recipient addresses.

Additionally, the virus avoids email addresses containing the following strings:

  • .edu
  • .gov
  • .mil
  • @MM
  • @mm
  • 32.
  • ample
  • arsoft
  • ating
  • avp
  • Bug
  • bug
  • buse
  • cafee
  • ccoun
  • cribe
  • CRIBE
  • dmin
  • ebmast
  • ecur
  • eport
  • eturn
  • gmail
  • help
  • ibm
  • ICROSOFT
  • icrosoft
  • inpris
  • inrar
  • inux
  • inzip
  • irus
  • ists
  • list
  • msdn
  • msn
  • nfo
  • ntivi
  • omain
  • omment
  • ompu
  • oogle
  • oot
  • opho
  • orton
  • otmail
  • panda
  • pdate
  • persk
  • rend
  • ruslis
  • Sale
  • sale
  • sarc
  • senet
  • soft
  • spam
  • Spam
  • SPAM
  • ugs
  • umit
  • upport
  • user
  • USER
  • ware
  • win
  • ymant
  • YOU
  • you

Symptoms

Symptoms -

Presence of the file winlibs.exe in the WINDOWS SYSTEM32 directory and registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "winlibs.exe" = C:\WINDOWS\System32\winlibs.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs

Method of Infection

Method of Infection -

This virus spreads via email.  Users must choose to open the attachment in order to become infected.  Once infected, the compromised system is used to propagate the virus further by sending infected messages to address found on the local system and the web.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A