 |
 |
Murray, Your sharpness and curiosity are amazing. I do not open anymore attachments unless I am 100% certain. Emily ----- Original Message ----- From: "Murray Charters" <[log in to unmask]> To: <[log in to unmask]> Sent: Wednesday, January 30, 2002 1:04 AM Subject: ALERT!!! Look Out For The Party Pics WORM! > Hi All, > I just received the following E-Mail ... > > * * * > > Hello! > > My party... It was absolutely amazing! > I have attached my web page with new photos! > If you can please make color prints of my photos. Thanks! > > * * * > > Since I was not expecting Pictures and since the e-mail > was not signed, I immediately looked on the wwweb! > > Party Pics You Don't Want To See > MyParty worm uses Uuencoded attachment, mass- mails > > Discovered on the night of January 27, 2002, MyParty > is a mass-mailing email worm that employs a Uuencoded PE > attachment disguised as a Yahoo!® web address. > > The message arrives in an email with the following > characteristics: > > Subject: new photos from my party! > > Body: Hello! > > My party... It was absolutely amazing! > I have attached my web page with new photos! > If you can please make color prints of my photos. > Thanks! > > Attachment: www.myparty.yahoo.com > > The attachment is not really an attached webpage. > Instead, it is a .COM file attachment type > with malicious intent. > > According to antivirus vendor F-secure, the worm appeared > to originate in Russia and spread to Singapore and various > Asian countries, before worming its way into the rest of Europe > and the United States. > > On non-Russian versions of NT/ 2000/XP, the MyParty worm > installs a backdoor access Trojan that is controlled by a script > residing on a remote website. MyParty uses its own SMTP > routines to send the email, an activity that most firewalls > should detect. > > The MyParty worm checks the system date and if prior to > January 25, 2002 it copies itself to the Recycle Bin folder > and takes no further action. However, on dates between > the 25th and the 29th, the worm performs the following: > > Checks keyboard layout to determine nationality. If Russian, > the worm copies itself to the Recycle Bin and takes no further > action. If non-Russian and an NT/ 2000/XP system, > a backdoor is copied as MSSTASK.EXE to the current > user's profile startup folder. > > If the system is Windows 95 or 98, the worm copies itself > to the Recycle Bin as REGCTRL.EXE. > > If windows NT/2000/XP, the file is copies to the root of C:\ > instead. > > Once copied, the worm opens the browser and launches the > www.disney.com page and then starts the REGCTRL.EXE file, > which then obtains the infected user's SMTP server address > and email address from the Registry, as well as addresses > found in the Windows Address book and .DBX file. > > MyParty mass-mails itself to all addresses found and also > sends a message to the address [log in to unmask] > > On NT, when the mass-mailing is complete, the worm moves > its file to the Recycle Bin and activates the installed backdoor > (MSSTASK.EXE). > > Removal Instructions > Windows 9x users should restart the system and scan with > antivirus software updated after January 27th, 2002. > > Delete any files found infected with the MyParty worm > unless reported in an email database file (locate the individual > email and delete it instead). > > Windows NT/2000/XP users should first open Task Manager > (press CTRL and ALT keys, hold them down and press the > DEL key, then select Task Manager). Select Processes, > locate MSSTASK.EXE, right-click the name and choose > End Process. > > Next, search your drive for any instances of MSSTASK.EXE > and delete it. Finally, scan with antivirus software updated > after January 27th, 2002. Delete any files found infected > with the MyParty worm unless reported in an email database > file (locate the individual email and delete it instead). > > SOURCE: Mary Landesman - Antivirus About Site... > http://antivirus.about.com/library/weekly/aa012702a.htm > > * * * > > ---------------------------------------------------------------------- > To sign-off Parkinsn send a message to: mailto:[log in to unmask] > In the body of the message put: signoff parkinsn > ---------------------------------------------------------------------- To sign-off Parkinsn send a message to: mailto:[log in to unmask] In the body of the message put: signoff parkinsn