Presence of registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\wintasks.exe and the value
Presence of the wintasks.exe file in the %SYSTEM% directory.
Presence of a named mutex "MyNameIsEva".
Identify and kill the process ( if active ), then remove the registry keys and files from the system.
Automatic removal: let BitDefender disinfect infected files.
Alexandru Carp BitDefender Virus Researcher
The worm comes by mail, with the following characteristics:
The message subject is one of:
Delivery Status (Failure)
The message body is one of:
This is an automatically generated Delivery Status Notification.
Delivery to last recipient failed.
Email returned as attachment text file.
Message from Mail Delivery Server.
Unable to deliver message to last recipient.
Email returned as text file.
Email returned by the server as ASCII Text mail file.
To read the email download the included attachment.
Mail Server Notice:
Last email sent could not reach intented destination.
Email returned as ASCII text file.
The last email sent by this account could not reach intended destination.
Email has been returned as text file attachment.
Mail Delivery Status Notification:
Message returned by server. Message returned as text file attachment.
The message comes from the same domain as the target's, and the user is one of:
Ex: if the target is firstname.lastname@example.org, the sender might be Mike@foodomain.foo .
The message has an attachment with the name composed of the following items:
and the last part is one of:
Once executed, the worm copies itself to Windows System directory as wintasks.exe, and it then opens notepad.
It checks for presence in memory by means of the named mutex "MyNameIsEva".
It has a hardcoded list of SMTP servers:
It also tries to use the local SMTP server, if none of the above work.
It creates four threads for sending mail, and has a 9 second sleeping period between mail attempts.
The worm creates the following registry key so as to run each time Window starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\wintasks.exe with the value the path in the
Windows System directory where it has just copied itself.
The interesting part is the way it gathers email addresses. It uses the Yahoo People Search web page and it generates
a random search string. In five out of six cases it is composed of a consonant, followed by a vowel and then another
letter ( vowel or consonant ) ( ex "can" ). In the rest of the cases, it generates a vowel, then another letter
( vowel or consonant ). Every letter is generated using a random algorithm.