1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New Virus and Backdoor: I-Worm.Myparty

Discussion in 'Virus & Other Malware Removal' started by eddie5659, Jan 28, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    36,151
    Hiya

    This is a worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 30Kb of length (compressed by UPX, 76K decompressed), written in Microsoft Visual C++.
    The infected messages have:

    Subject: new photos from my party!
    Body:

    Hello!
    My party... It was absolutely amazing!
    I have attached my web page with new photos!
    If you can please make color prints of my photos. Thanks!

    Attachment: www.myparty.yahoo.com

    The worm activates from an infected email only if a user clicks on the attached file. The worm then installs itself to the system and runs its spreading routine.
    Installing
    While installing the worm copies itself to:
    c:\regctrl.exe - under WinNT/2K/XP
    c:\recycled\regctrl.exe - under Win9x/ME

    and spawns this copy. If the worm file name is not ".com" (as in the attachment) but ".exe" (the worm is renamed) it also opens the Web page "http://www.disney.com".
    The original file (as it was run from infected email) is moved to the Recycled or Recycler directory with one of the names:

    C:\RECYCLER\F-%1-%2-%3
    C:\RECYCLED\F-%1-%2-%3

    where %1, %2, %3 are random selected numbers, for example:
    F-12158-19044-21300
    F-27729-23255-31008

    While installing the worm checks the keyboard layout set, and in case there is Russian keyboard support the worm copies itself to Recycled/Recycler in the same way and exits. The same on any date except 25-29 January 2002.
    As a result, the worm works only from 25 till 29 Jan 2002 and only on machines without Russian keyboard support.

    Spreading
    To send infected messages the worm uses direct SMTP connection to email server. To get victim email addresses the worm scans WAB files (Windows Address Book) and *.DBX files (Outlook Express).
    The worm also sends one email (without attachment) to "[email protected]".

    Backdoor
    Under WinNT/2000/... the worm also creates a new file in a user's auto-run directory:
    %Userprofile%\Start Menu\Programs\Startup\msstask.exe

    and writes a backdoor program to there. This backdoor is driven by data that is stored in a file at the Web site "http://209.151.250.170".


    http://www.avp.ch/avpve/worms/email/myparty.stm

    Its weird, 'cos if I'm reading this right, after the 29th, it dies. Am I reading it right?

    Regards

    eddie
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    I received a copy about midday on the 28th.....deleted it as usual.......
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yup, just a flash in the pan -- wonder why they bothered to write it :)
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    36,151
    So, it was just a waste of time virus? Bit weird.

    Oh, well

    eddie
     
  5. buf

    buf

    Joined:
    Nov 4, 2001
    Messages:
    1,998
    Thanks folks for your posts about this bugger. I think it would be wise for us to inform the "sender" of the email, If known. That sender, in my case, was someone whom I know and so I will adise them to be sure their virus definitions are up to date and then run a complete scan on their computer(s) and delete any infected files found. We gotta stop this thing quickly even if if does "die" today; January 29!!
     
  6. Peachykeen

    Peachykeen

    Joined:
    May 19, 2001
    Messages:
    300
    Does this virus also use the pics.doc.scr attachment? I got an e-mail from a friend (supposedly) the other day with this attachment and didn't know how many viruses it is associated with. I deleted it without opening it.
    Thanks!!
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    36,151
    Peachykeen

    Not sure, but any incoming mail that has the attachemnet .scr is one to be wary of. Thats a scripting files.

    Regards

    eddie
     
  8. fireboy69

    fireboy69

    Joined:
    Apr 9, 2001
    Messages:
    101
    .scr is also the extension used for screensavers. As such, though, it is a type of executable file a nd something to be wary of, as Eddie suggested.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/66841

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice