VIRUS
NAME : W32/MyLife.c@MM
Internet
Worm Characteristics
This mass-mailing
worm, written in Visual Basic 6, uses Microsoft Outlook to send itself
to all addresses in the Outlook Address book and addresses on the MSN
Messenger contact list. It arrives in an email containing the following
information:
Subject: The
List
Attachment: LIST.TXT.scr
The attachment is
a UPX packed PE file. When executed on the local machine, a message box
of "error" is displayed whilst the worm copies itself to the
System folder, and uses Outlook to propagate itself to all address found
in the Outlook Address book and addresses on the MSN Messenger contact
list.
The following Registry key is added to ensure the worm is executed at
subsequent system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\sys=C:\WINDOWS\SYSTEM\LIST.TXT.scr
Upon restarting the machine, the worm does not propagate again, and the
message box is not displayed.
Symptoms
Presence of: LIST.TXT.scr (7,680 bytes) in the system directory.
Method
Of Infection
When executed, the worm propagates itself to all addresses found in the
Outlook Address book and addresses on the MSN Messenger contact list,
using Microsoft Outlook. The worm copies itself to the System folder,
modifying the Registry to run this copy at subsequent startup.
|
