August 4, 2004
Evaman.c is a mass-mailing email worm that, like its predecessor Evaman.a, uses the Yahoo People Search database to obtain email addresses for its malicious mailings. Despite the clear connection to the Evaman family of worms, a small number of antivirus vendors are classifying Evaman.c as a MyDoom variant. For example, Trend Micro considers it MyDoom.O and Sophos has declared it MyDoom.Q. Antivirus vendors McAfee and Symantec both recognize the variant as Evaman.c.
The email composed by the Evaman.c worm has the following characteristics:
The From address in the email is spoofed.
The To address is obtained from email.people.yahoo.com queries
The subject will be any one of the following:
- Delivery Status (Secure)
SN: New secure mail
Secure delivery
failed transaction
Re: hello (Secure-Mail)
Re: Extended Mail
Re: Server Reply
SN: Server Status
The message body varies, masquerading as notifications from system and domain administrators.
The attachment may be a ZIP, SCR or EXE and the filename is composed of two parts. The first part will be any one of the following:
- readme
message
attachment
transcript
text
document
file
The second part will be any one of the following:
- .scr
.exe
-txt.exe
-htm.exe
-txt.scr
zip
For example, the message attachment may be 'body.scr' or 'returned.html.scr'
Next: Action on infection