My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Eiram.A@mm

LOW
MEDIUM
57344 bytes
(W32/Eira.A@mm, I-Worm.Quamo)

Symptoms

  • Folder C:\Eiram with the file quake4setup.exe

  • File F:\quake4setup.exe
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following keys:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Q4
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Quake
        HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Q4
        HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Quake

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Eiram.A@mm.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    This is an Internet Worm pretending to be a demo for Quake 4, and contains a payload which destroys executables and documents. This worm is coming through e-mail as an attached file. The e-mail looks like this:

    From:

    Subject: one of the following:
    Something very special
    I know you will like this
    Yes, something I can share with you
    Wait till you see this!
    A brand new game! I hope you enjoy it

    Body: contains:
    This is something you have to see!
    Till next time
    Is Internet that safe?
    Hey you, take a look at the attached file.
    You won't believe your eyes when you open it!
    You like games like Quake? You will enjoy this one.
    Did you see the pictures of me and my battery operated boyfriend?
    My best friend.
    Check it out

    Attachment: one of these names:
    quake4demo.exe
    setup.exe
    honey.exe

    An example of such an e-mail is this:



    When is executed the virus displays the following image:



    In the mean time it copies itself in the Windows directory and creates the folder C:\Eiram where it copies the file quake4demo.exe. This is probably a bug because this copying will work only if the attachment is quake4demo.exe. If c:\Eiram already exists it tries to copy in the root of drive F:.

    After copying it writes the following keys to be restarted at every Windows session:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Q4
    with the value c:\eiram\quake4demo.exe
    HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\Quake
    with the value f:\quake4demo.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Quake
    with the value f:\quake4demo.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Q4
    with the value c:\eiram\quake4demo.exe

    It also overwrites randomly some files from the current directory (first time it is the Temp directory) and the System directory with the extensions: exe, ocx, xls, doc, htm, html, mdb with the text:

    You've didn't protected your files well enough
    Let this be a lesson! Never trust someone else

    eiram 1999-2001