VIRUS NAME: W32/MyLife.b@MM
Internet
Worm Characteristics
This mass-mailing
worm, written in Visual Basic 6, uses Microsoft Outlook to send itself
to all addresses in the Outlook Address book and addresses on the MSN
Messenger contact list. It arrives in an email containing the following
information:
Subject: bill
caricature
Attachment: cari.scr
The following Registry
key is added to ensure the worm is executed at subsequent system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\win=C:\WINDOWS\SYSTEM\cari.scr
Upon restarting the machine,
the worm does not propagate again, and the above image is not displayed.
When the worm is run from the SYSTEM directory and the hour is 8am, the
worm deletes the following files:
- *.* from C:\ D:\
E:\ and F:\
- *.SYS, *.VXD,
*.OCX and *.NLS from C:\WINDOWS\SYSTEM
The most likely scenario
for this occurrence is for a system to become infected on one day, and
the system files to be deleted the next, when the machine is rebooted
or powered on in the morning.
Symptoms
Presence of: cari.scr (41,984 bytes) in the system directory.
Method
Of Infection
When executed, the worm propagates itself to all addresses found in the
Outlook Address book and addresses on the MSN Messenger contact list,
using Microsoft Outlook. The worm copies itself to the System folder,
modifying the Registry to run this copy at subsequent startup.
|
