Via email, the worm arrives as an attachment named eBayVerify.exe. Via KaZaA and eMule P2P networks, the worm disguises itself as Mayacrack.exe and 3dsmaxcrack.exe, respectively. Crack programs are frequently sought after on filesharing networks by users who wish to illegally break into copies of software in violation of copyright. There is an odd sort of irony to a worm which attempts to steal financial details from persons who are stealing software.
Using addresses found in the Windows address book, the Cayam worm composes and sends itself via email as follows:
- Subject: Verify your eBay account information
Dear Ebay user,
Dear valued member, It has come to our attention that your eBay Billing Information records are out of date. That requires you to update the Billing Information If you could please take 5-10 minutes out of your online experience and update your billing records, you will not run into any future problems with eBay`s online service. However, failure to update your records will result in account termination. Please update your records in maximum 24 hours. Once you have updated your account records, your eBay session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.
Please open attachment to update your billing records.
Thank you for your time!
Method of infection
The Cayam worm drops copies of itself as follows:
C:\Program Files\Kazaa\My Shared Folder\Mayacrack.exe
The Cayam worm modifies the following system Registry keys:
adding the following value:
allowing the worm to load when the sytem is rebooted and Windows starts.
Removing the worm
Locate and delete the Registry edits made by the worm. Locate and delete the files dropped by the worm.