My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Evaman.D@mm

LOW
MEDIUM
23040 packed

Symptoms

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS Updates with the value %SYSTEM%/syshosts.exe.
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SYSHOSTS.

Presence of the syshosts.exe file in the %SYSTEM% directory.

Removal instructions:

Manual removal:
Identify and kill the process ( if active ), then remove the registry keys and files from the system.

Analyzed By

Alexandru Carp BitDefender Virus Researcher

Technical Description:

Technical description:
The worm comes by mail. The main executable has an Internet Explorer icon.
When run, it tries to open a web site at http://www.microsucks.com .

The worm opens a thread that scans every second for processes containg any of the strings:
task
msconfig
AV
MC
Av
Mc
av
mc
IEFrame
nti
iru
ire
cc
ecu
can
scn
KV
fr

and it terminates them.

The worm scans for email addresses and then send itself as an attachment.

The message subject is one of:
album
You\'ve got a Virtual Postcard!


The message body:

my pics...*sexy*. Heheh! ;)
You have just received a new postcard from Flashecard.com!
To pick up your postcard follow this web address
http://www.flashecard.com.viewcard.main.ecard.php?2342
or click the attached link.
We hope you enjoy your postcard, and if you do, please
take a moment to send a few yourself!
http://www.flashecard.com
From:
(Your message will be available for 30 days.)
Please visit our site for more information.



The sender of the email is spoofed.

The message has an attachment with the name composed of the following items:
photos_album
www.flashecard.com?postcard=viewcard?download

followed by
.scr
.html.scr




In order to get addresses, the worm checks the Windows Address Book ( it gets the path from the registry)
and then scans for files with the following extensions:
txt
htmb
htmlb
shtl
phpq
emll
msgq
aspd
dbxn
tbbg
adbh
wab
.

The worm avoids sending itself to the addreses that contain the following strings:
syma
msn
hotmail
anda
opho
borlan
npris
xample
mydom
@domai
ruslis
.gov
.mil
@foo
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm
oogle
kernel
linux
fido
senet
@iana
ripe
isi.e
arin.
rfc-ed
isc.o
ecur
acketst
pgp
tanford.e
utgers.ed
ample
info
root@
ostmaster@
ebmaster@
you
ugs@
ating@
ontact@
soft
rivacy
ervice
help
ubmit@
feste
cert
page
upport
ntivi
istser
ertific
ccoun
spm
Spam
SPAM
spam
abuse
cafee
@messagelab
@avp
kasp
winzip
winrar
pdate
irus
ahoo
buse@
sale