1. Technology
Send to a Friend via Email
You can opt-out at any time. Please refer to our privacy policy for contact information.

Cayam worm targets eBay users

By

Updated December 16, 2003
A mass-mailing email worm that also spreads via P2P networks targets eBay users in a fashion similar to Mimail.J's targeting of PayPal users. The worm, dubbed W32.HLLW.Cayam@mm by antivirus vendor Symantec, was discovered on December 16, 2003. Users who open the Cayam worm will be presented with a screen that mimics the look and feel of the legitimate eBay site. Information requested by the worm includes the user's eBay login ID and password, credit card and banking details, social security number and other personal financial details. Inputting this information provides the Cayam worm author with more than enough details to pull off credit card fraud or even complete identity theft.

Via email, the worm arrives as an attachment named eBayVerify.exe. Via KaZaA and eMule P2P networks, the worm disguises itself as Mayacrack.exe and 3dsmaxcrack.exe, respectively. Crack programs are frequently sought after on filesharing networks by users who wish to illegally break into copies of software in violation of copyright. There is an odd sort of irony to a worm which attempts to steal financial details from persons who are stealing software.

Using addresses found in the Windows address book, the Cayam worm composes and sends itself via email as follows:

    Subject: Verify your eBay account information

    Dear Ebay user,
    Dear valued member, It has come to our attention that your eBay Billing Information records are out of date. That requires you to update the Billing Information If you could please take 5-10 minutes out of your online experience and update your billing records, you will not run into any future problems with eBay`s online service. However, failure to update your records will result in account termination. Please update your records in maximum 24 hours. Once you have updated your account records, your eBay session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.

    Please open attachment to update your billing records.

    Thank you for your time!

    Marry Kimmel,

Method of infection
The Cayam worm drops copies of itself as follows:

C:\Windows\Msfind32.exe
C:\eBayVerify.exe
C:\Program Files\Kazaa\My Shared Folder\Mayacrack.exe
C:\Program Files\eMule\Incoming\3dsmaxcrack.exe

The Cayam worm modifies the following system Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

adding the following value:

"MSFind32"="c:\windows\msfind32.exe"

allowing the worm to load when the sytem is rebooted and Windows starts.

Removing the worm
Locate and delete the Registry edits made by the worm. Locate and delete the files dropped by the worm.

©2014 About.com. All rights reserved.