Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Eira.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Destroys files
Detection files published
Description created 28 Nov 2001 05:00:00
Description updated 26 Nov 2002 04:12:00
Malware type WORM
Alias I-Worm.Quamo
Win32.Q4Like.A
Win32.HLLM.Rocket.57344
Spreading mechanism EMAIL
NETWORK
Summary None

W32/Eira.A@mm

Spreading

The worm spreads by sending itself to addresses in the Outlook address book. I has a list of possible subjects and body texts, which it selects randomly from.Possible subjects are:1. A brand new game! I hope you enjoy it2. Something very special3. I know you will like this4. Yes, something I can share with you5. Wait till you see this!When executed it will copy itself toC:\EIRAM\QUAKE4DEMO.EXE, F:\QUAKE4DEMO.EXE, %WINDIR%\QUAKE4DEMO.EXE, %WINDIR%\HONEY.EXE and %WINDIR%\SETUP.EXE.It creates the following registry keysHKLM\Software\Microsoft\Windows\Currentversion\Run Q4 = C:\EIRAM\QUAKE4DEMO.EXE quake = F:\QUAKE4DEMO.EXEHKCU\Software\Microsoft\Windows\Currentversion\Run quake = C:\EIRAM\QUAKE4DEMO.EXE Q4 = F:\QUAKE4DEMO.EXEIt will then display a message screen containing two buttons. The "next" button is disabled, so the only option is to press the "cancel" button, in which case the worm will start its emailing routine.

Payload Details

On some occasions it will overwrite EXE, XLS and OCX files with the following text:You've didn't protected your files well enoughLet this be a lesson! Never trust someone elseeiram 1999-2001

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12