VIRUS NAME: W32/MyLife.e@MM
Internet
Worm Characteristics
This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook
to send itself to all addresses in the Outlook Address book and addresses
on the MSN Messenger contact list. It arrives in an email containing the
following information:
Subject: sexxxyyy
Screen Saver
Attachment: Screen.scr
The attachment is a UPX packed PE file. When executed on the local machine,
a message box of "error" is displayed whilst the worm copies
itself to the System folder, and uses Outlook to propagate itself to all
address found in the Outlook Address book and addresses on the MSN Messenger
contact list.
The following registry
key is added to ensure the worm is executed at subsequent system startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\screen=C:\WINDOWS\SYSTEM\Screen.scr
The second time the worm is run, it attempts to delete the following files:
- C:\*.*
- D:\*.*
- E:\*.*
- F:\*.*
- G:\*.*
- C:\My Documents\*.*
- All *.sys, *.exe,
and *.ini files from the WINDOWS directory
- All *.sys, and
*.vxd files from the SYSTEM directory.
The worm also sends a message with the following information:
To: zary2000@email.com
Subject: New Screen Saver
Body: New NeverHood buy
Symptoms
Presence of the file Screen.scr (11,776 bytes) in the Windows System directory.
Method
Of Infection
When executed, the worm propagates itself to all addresses found in the
Outlook Address book and addresses on the MSN Messenger contact list,
using Microsoft Outlook. The worm copies itself to the System folder,
modifying the Registry to run this copy at subsequent startup.
|
