Win32.Evaman.A@mm

SINTOMAS:

Presence of registry key:

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wintasks,
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wintasks,
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wintasks.exe and the value
%SYSTEM%/wintasks.exe.

Presence of the wintasks.exe file in the %SYSTEM% directory.
Presence of a named mutex \"MyNameIsEva\".

DESCRIPCIÓN TÉCNICA:

The worm comes by mail, with the following characteristics:

The message subject is one of:

returned mail
failure delivery
failed transaction
server error
mail failure
Delivery Status (Failure)



The message body is one of:

This is an automatically generated Delivery Status Notification.
Delivery to last recipient failed.
Email returned as attachment text file.

Message from Mail Delivery Server.
Unable to deliver message to last recipient.
Email returned as text file.

Email returned by the server as ASCII Text mail file.
To read the email download the included attachment.

Mail Server Notice:
Last email sent could not reach intented destination.
Email returned as ASCII text file.

The last email sent by this account could not reach intended destination.
Email has been returned as text file attachment.

Mail Delivery Status Notification:
Message returned by server. Message returned as text file attachment.


The message comes from the same domain as the target\'s, and the user is one of:

Mike
Jennifer
David
Linda
Susan
Nancy
Pamela
Eric
Kevin
Mary
Jessica
Patricia
Barbara
Karen
Sarah
Robert
John
Daniel
Jason
Joe

Ex: if the target is foo@foodomain.foo, the sender might be Mike@foodomain.foo .


The message has an attachment with the name composed of the following items:

body
message
email
returned
text
document
and the last part is one of:

scr
txt.scr
html.scr
outlook.scrtxt.exe

Ex: message.html.scr



Once executed, the worm copies itself to Windows System directory as wintasks.exe, and it then opens notepad.

It checks for presence in memory by means of the named mutex \"MyNameIsEva\".
It has a hardcoded list of SMTP servers:

smtp.mail.yahoo.com
smtp.rcn.com
outgoing.verizon.net
smtp.comcast.net
mail.mindspring.com
smtp.email.msn.com
smtpauth.earthlink.net
smtp-server.nc.rr.com
smtp1.attglobal.net
mailhost.att.net
mail.optonline.net
mail.peoplepc.com
smtpout.bellatlantic.net
mail.verio.net
smtp.netzero.net
smtp.prodigy.net


It also tries to use the local SMTP server, if none of the above work.

It creates four threads for sending mail, and has a 9 second sleeping period between mail attempts.


The worm creates the following registry key so as to run each time Window starts:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wintasks.exe with the value the path in the
Windows System directory where it has just copied itself.

The interesting part is the way it gathers email addresses. It uses the Yahoo People Search web page and it generates
a random search string. In five out of six cases it is composed of a consonant, followed by a vowel and then another
letter ( vowel or consonant ) ( ex \"can\" ). In the rest of the cases, it generates a vowel, then another letter
( vowel or consonant ). Every letter is generated using a random algorithm.

INSTRUCCIONES DE LIMPIEZA:

Manual removal:
Identify and kill the process ( if active ), then remove the registry keys and files from the system.


Automatic removal: let BitDefender disinfect infected files.

ANALIZADO POR:

Alexandru Carp,
BitDefender Virus Researcher