Evaman.D spreads via email in a message with variable characteristics. It looks for email addresses in files with the following extensions: adb, asp, dbx, eml, htmb, html, msg, php, pl, sht, tbb, txt and wab-, and sends itself out to them using its own SMTP engine.
Every five seconds, Evaman.D checks if there are active processes in memory -with names that coincide with certain text strings- and if there are, it terminates them. Some of these processes belong to antivirus programs, so Evaman.D can leave computers vulnerable to attack from other malicious code.
To make sure that only one copy of the virus runs at any one time, Evaman.D creates the mutex BigUptoMDauthor_thx4sharing.
The next worms we'll look at are the AB, Z and X variants of Mydoom, which also spread in an email with variable characteristics. The three worms connect to various websites from which they try to download and install a backdoor Trojan.
Mydoom.AB and Mydoom.Z differ from Mydoom.X in various aspects including:
- They spread through the Kazaa (P2P) file-sharing program.
- They terminate processes belonging to security programs including antivirus solutions and firewalls, leaving computers vulnerable to further attack from other malware.
- They prevent access to certain antivirus websites, stopping these applications from updating and detecting new threats.
Mydoom.X, on the other hand creates the mutex LLLf54fxrDLLL, to make sure that only one copy of the virus runs at any one time.
For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia.
- Firewall: This is a barrier that can protect information in a system or network when there is a connection to another network, for example, the Internet
- Mutex: Some viruses can use a mutex to control access to resources (examples: programs or even other viruses) and prevent more than one process from simultaneously accessing the same resource.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.