W32/Cayam.worm!p2p

-- Update 18th December 2003 --
This threat is considered to be a Low-Profiled risk due to media attention at:  http://antivirus.about.com/cs/allabout/a/cayam.htm

This worm is intended to propagate via email and file sharing networks. It is written in MSVB, and packed with UPX. It bears the following characteristics:

• Mails itself (using Outlook) to recipients in the Outlook address book
• Shares itself via KaZaa and eMule file sharing P2P networks as MAYACRACK.EXE and 3DSMAXCRACK.EXE respectively
• Attempts to extract user information by providing a fake eBay information verification screen. Data entered into the form is sent via HTTP (port 80)

Proactive Detection

McAfee products running the 4.2.40 (or later) engine detect this threat as W32/Generic.worm!p2p since the 4267 DATs.

Mail Propagation

The worm uses Microsoft Outlook to mail itself to recipients in the Outlook address book. Outgoing messages are constructed as follows:

Subject: Verify your eBay account information

Body:
Dear Ebay user,
Dear valued eBay member, It has come to our attention that your eBay Billing Information records are out of date. That requires you to update the Billing Information If you could please take 5-10 minutes out of your online experience and update your billing records, you will not run into any future problems with eBay's online service. However, failure to update your records will result in account termination. Please update your records in maximum 24 hours. Once you have updated your account records, your eBay session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.

Please open attachment to update your billing records.

Thank you for your time!
Marry Kimmel,

Attachment: eBayVerify.exe

P2P Propagation

The worm copies itself as the following in order to spread via KaZaa and eMule P2P file-sharing networks:

• c:\Program Files\KazAa\My Shared Folder\Mayacrack.exe
• c:\Program Files\eMule\Incoming\3dsmaxcrack.exe

Data Stealing

This worms tries to trick users by providing a fake eBay information verification screen.  The users are prompted to verify their account information by filling in such information as their name, address, social security number, and credit information.  Once the information is collected, the information is submitted via HTTP (port 80) to be processed by a script on the following remote server:

www.csk2.com

The initial fake eBay logon screen is shown below:

Once signed in, the user is presented with a larger form intended to gather information, including credit card and bank details:

Once this is submitted, a fake verification complete message is displayed:

• Affected systems will have the registry keys and files as described in the "Charateristics" section.
• Kazaa share has dropped file named "Mayacrack.exe"
• eMule share has dropped file named "3dsmaxcrack.exe"

The worm may arrive either by email attachment or via P2P download. 

Upon execution by the user the worm installs itself onto the victim machine:

• C:\WINDOWS\MSFIND32.EXE
• C:\EBAYVERIFY.EXE

(C:\WINDOWS\ is hardcoded in the worm, it does not use %WinDir%.)

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "MSFind32" = C:\WINDOWS\MSFIND32.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunOnce "MSFind32" = C:\WINDOWS\MSFIND32.EXE

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations