high
Summary
Summary
Action- More Information
| Protection available since | 5 July 2004 03:22:31 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
If W32/Evaman-A is running on Windows 2000 or Windows XP, it will almost always appear in the task list with the name "wintasks.exe". This task can be terminated with the [End Process] option in the Windows Task Manager. Once the worm is stopped, all infectious files can be deleted using Sophos Anti-Virus.
More Information
W32/Evaman-A is a mass mailing worm.
When W32/Evaman-A infects your computer, it copies itself to the Windows system folder using the name wintasks.exe and creates the following registry entry so that it activates whenever you logon to your computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
wintasks.exe = wintasks.exe
W32/Evaman-A builds up a list of email addresses to target by using the email address search feature of Yahoo mail. This involves making HTTP requests to:
email.people.yahoo.com
Emails are sent to the harvested addresses using a From address which has the same domain as the recipient. For example, if you are "person@example.com", the sender will appear to be someone like "Kevin@example.com". The sender name used is one of: David, Linda, Susan, Nancy, Pamela, Kevin, Jessica, Patricia, Barbara, Karen, Sarah, Robert, Daniel and Jason.
Emails sent out by W32/Evaman-A pretend to be automatic responses from a mail server, and have one of the following subject lines:
returned mail
failure delivery
failed transaction
server error
mail failure
Delivery status (Failure)
The email body text consists of a short error message which attempts to justify why an attachment has been included with the mail. This body text claims that the attachment is just a text file, but it is actually a Windows program. The filenames used for the attachment include:
body
email
message
returned
document
The extension given to the attachment is intended to be ".scr" or ".exe". There is actually often a double extension, e.g. "html.scr" or "txt.scr", and the worm sometimes attempts to use the extension "outlook.scrtxt.exe". But buggy programming in the worm sometimes messes up the extension, so that almost any characters (including non-ASCII or "unprintable" text) may appear at the end of the filename.
All emails generated by W32/Evaman-A include the following incorrectly-spelled line of text:
This is a multi-part message in MIME formart
|
