Virus Profile: W32/Evaman.c@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 8/3/2004
Date Added: 8/3/2004
Origin: Unknown
Length: 21,504 bytes (UPX)
Type: Virus
Subtype: E-mail
DAT Required: 4383
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the file winlibs.exe in the WINDOWS SYSTEM32 directory and registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "winlibs.exe" = C:\WINDOWS\System32\winlibs.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs

Methods of Infection

This virus spreads via email.  Users must choose to open the attachment in order to become infected.  Once infected, the compromised system is used to propagate the virus further by sending infected messages to address found on the local system and the web.

Aliases

I-Worm.Mydoom.o (AVP), W32/Mydoom.q@MM, WORM_MYDOOM.O (Trend)
   

Virus Characteristics

-- Update August 4, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at::
https://news.zdnet.co.uk/business/legal/0,39020651,39162570,00.htm
--

This mass-mailing virus arrives as an email attachment with the following characteristics:

From: (spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

The from address is constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. john@mydomain.com)

The common names used are as follows:

  • barbara
  • daniel
  • david
  • eric
  • jason
  • jennifer
  • jessica
  • joe
  • john
  • karen
  • kevin
  • linda
  • mary
  • mike
  • nancy
  • pamela
  • patricia
  • robert
  • sarah
  • susan

Subject: (one of the following)

  • Delivery Status (Secure)
  • failed transaction
  • Re: Extended Mail
  • Re: hello (Secure-Mail)
  • Re: Server Reply
  • Secure delivery
  • SN: New secure mail
  • SN: Server Status

Body: (varies, such as)

Part 1

  • domain  :: Automatically Secure Delivery: for email address
  • domain  :: Mail Delivery Server System: for email address
  • domain  :: Extended secure mail message available at: email address
  • domain  :: Secure Mail Server Notification: for email address
  • domain  :: New mail secure method implement: for email address

Part 2

  • New policy requested by mail server to returned mail
    as a secure compiled attachment (Zip).
  • Now a new message is available as secure Zip file format.
    Due to new policies on clients.
  • This message is available as a secure Zip file format
    due to a new security policy.
  • For security measures this message has been packed as Zip format.
    This is a newly added security feature.
  • New policy recommends to enclose all messages as Zip format.
    Your message is available in this server notice.
  • You have received a message that implements secure delivery technology.
    Message available as a secure Zip file.

Part 3

  • This message is an automatically server notice
    from Administration at domain
  • Server Notice: New security feature added. MSG:ID: 455sec86
    from domain
  • New feature added for security reasons
    from domain
  • Automatically server notice:,
    Server reply from domain
  • New service policy for security added from domain

Attachment: (one of the following)

  • attachment
  • document
  • file
  • mail
  • message
  • readme
  • text
  • transcript

Followed by one of the following

  • .zip
  • .exe
  • -txt.exe
  • -htm.exe
  • -txt.scr

When the attachment is manually executed, the virus will run Notepad.

The virus copies itself to the WINDOWS SYSTEM (such as c:\Windows\System32) directory as winlibs.exe , and creates a registry run key to load itself at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "winlibs.exe" = C:\WINDOWS\System32\winlibs.exe

Additionally, the following registry keys are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\winlibs

The virus extracts e-mail addresses from the local system by analyzing files that contain the following extensions:

  • adb
  • asp
  • cfg
  • dbx
  • dhtm
  • eml
  • htm
  • html
  • js
  • jse
  • jsp
  • mmf
  • msg
  • ods
  • php
  • pl
  • sht
  • shtm
  • shtml
  • tbb
  • txt
  • wab
  • xml

The virus also queries Yahoo for additional recipient addresses.

Additionally, the virus avoids email addresses containing the following strings:

  • .edu
  • .gov
  • .mil
  • @MM
  • @mm
  • 32.
  • ample
  • arsoft
  • ating
  • avp
  • Bug
  • bug
  • buse
  • cafee
  • ccoun
  • cribe
  • CRIBE
  • dmin
  • ebmast
  • ecur
  • eport
  • eturn
  • gmail
  • help
  • ibm
  • ICROSOFT
  • icrosoft
  • inpris
  • inrar
  • inux
  • inzip
  • irus
  • ists
  • list
  • msdn
  • msn
  • nfo
  • ntivi
  • omain
  • omment
  • ompu
  • oogle
  • oot
  • opho
  • orton
  • otmail
  • panda
  • pdate
  • persk
  • rend
  • ruslis
  • Sale
  • sale
  • sarc
  • senet
  • soft
  • spam
  • Spam
  • SPAM
  • ugs
  • umit
  • upport
  • user
  • USER
  • ware
  • win
  • ymant
  • YOU
  • you
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95