Aliases: Worm.Evan
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 26 Jun 2003
Damage: Low

Characteristics: W32.Evan.Int is also known as a backdoor worm which downloads remote files and lowers security settings of the compromised computer. Once opened, the virus copies itself to System directory folders using different filenames. It also continuously updates itself and lets it download program to spread it consequently in the infected machine. This uses mass mailings to be carried out from the victim machine. This worm causes your computer and/or laptop to crash and continuously reboot after it crashes.

More details about W32.Evan.Int

Self duplication on windows directory folders contains the following files: Eva.exe and Vbs.eva.vbs. Its routine infection includes deleting a .txt file it finds in the current folder while creating a new .exe file with the same filename but with the .exe added at the end. The email sent displays this subject, “read.” Whilst in the message body, “Hello, I have become infected with a silly vbs/w32 worm... It's making me send everyone emails with it (the worm) attached, so I figured I'd anger it by sending it to you myself...Bye!” The email also contains an attachment with the filename “Eva.exe.”

This malware allegedly has the ability to open up ports which can be used to connect to a specified IRC channel to listen for possible attack commands. It was believed that these attacks may come in the form of Denial of Service (DoS) or Distributed Denial of Service (DDoS). Both ports may be used to hold incoming and outgoing transmissions either in TCP or UDP. Users claimed that this malware program resides in the machine's memory to avoid detection. It was reported that the application launcher of the program is located in the Windows folder of the machine. There is a possibility for the W32.Evan.Int program to run in the background without any user interface or process in Task Manager. The malware is said to be programmed for Windows Operating Systems only.