Note: By default, the Windows system directory is:
Windows 95/98/ME --> C:\Windows\System
Windows NT/2-2000 --> C:\Winnt\System32
Windows XP --> C:\Windows\System32
Evaman.c modifies the system registry to load when Windows is started:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"winlibs.exe"="%System%\winlibs.exe"
or
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"winlibs"="%System%\winlibs"
and creates the following registry key as well:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Winlibs
or
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Winlibs
Evaman.c attempts to shutdown various security software found running on infected systems. In addition to collecting email addresses from local files, Evaman.c harvests email addresses by periodically querying http://email.people.yahoo.com and sending itself to any addresses found.
Evaman.c contains a malicious payload. On or after January 2006, the worm will attempt to shutdown/restart or logoff the current user.
See also: Evaman exploits Yahoo database