Security vendor Panda Software is reporting the appearance of Eyeveg.D, a new kind of hybrid malware species with both worm and Trojan features, which could be used to steal confidential information, such as banking information, personal details or other information entered in Web registration forms.

This Eyeveg.D is a sophisticated hybrid with two sides to it: it carries out Trojan actions against the infected computer, and acts as a worm to spread. This type of hybrid of two malware species is becoming more and more habitual, as malware creators look for increased capacities and versatility in their creations, according to the vendor.


Eyeveg.D installs on the system through a DLL file and an EXE executable file, with a random name (which makes identification and disinfection more difficult), and modifies keys in the Windows Registry to ensure it is run on every system startup. Once run, Eyeveg.D carries out actions in order not to have its process displayed in the Task List in order to go unnoticed by users. However, this only works on Windows 9x (95, 98 and Millennium) systems.

Eyeveg.Ds Trojan actions start by loading the DLL file as a plugin (or additional component) of the browser, by taking advantage of one of its features. This allows the malware to capture events and actions carried out on the computer, as well as user session properties. In this way, it manages to log in a file every user attempt to send information to remote servers through secure servers, as found in banking web pages.

This is just another example of phishing, through which Eyeveg.D can gather data such as bank account numbers, passwords, or credit card numbers. This functionality has been confirmed by PandaLabs, which means that attacks to users accounts could have already started. Similarly, it logs the keystrokes entered by the affected user in the infected computer, compromising their privacy as it steals all sorts of confidential information, from personal emails, to bank account information sent to online banking entities.

It also has backdoor features, as it can open a channel to receive commands from a remote user silently, which gives Eyeveg.D great functionality. This malicious code tries to connect to a certain URL, disabling the Windows XP firewall if necessary. Once the connection is established, the affected computer is ready to receive commands, or even files that could correspond to another malware species.

As a worm, the malware has its own mail sending engine, which allows it look for email addresses in a series of computer files listed in its code and send itself out as a compressed attachment to all of them. Messages sent by Eyeveg.D have the name of the attached file as subject and seem to have been sent by the affected user.

More information can be found at this Panda Software page.