 |
 |
Hi All, I just received the following E-Mail ... * * * Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! * * * Since I was not expecting Pictures and since the e-mail was not signed, I immediately looked on the wwweb! Party Pics You Don't Want To See MyParty worm uses Uuencoded attachment, mass- mails Discovered on the night of January 27, 2002, MyParty is a mass-mailing email worm that employs a Uuencoded PE attachment disguised as a Yahoo!® web address. The message arrives in an email with the following characteristics: Subject: new photos from my party! Body: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com The attachment is not really an attached webpage. Instead, it is a .COM file attachment type with malicious intent. According to antivirus vendor F-secure, the worm appeared to originate in Russia and spread to Singapore and various Asian countries, before worming its way into the rest of Europe and the United States. On non-Russian versions of NT/ 2000/XP, the MyParty worm installs a backdoor access Trojan that is controlled by a script residing on a remote website. MyParty uses its own SMTP routines to send the email, an activity that most firewalls should detect. The MyParty worm checks the system date and if prior to January 25, 2002 it copies itself to the Recycle Bin folder and takes no further action. However, on dates between the 25th and the 29th, the worm performs the following: Checks keyboard layout to determine nationality. If Russian, the worm copies itself to the Recycle Bin and takes no further action. If non-Russian and an NT/ 2000/XP system, a backdoor is copied as MSSTASK.EXE to the current user's profile startup folder. If the system is Windows 95 or 98, the worm copies itself to the Recycle Bin as REGCTRL.EXE. If windows NT/2000/XP, the file is copies to the root of C:\ instead. Once copied, the worm opens the browser and launches the www.disney.com page and then starts the REGCTRL.EXE file, which then obtains the infected user's SMTP server address and email address from the Registry, as well as addresses found in the Windows Address book and .DBX file. MyParty mass-mails itself to all addresses found and also sends a message to the address [log in to unmask] On NT, when the mass-mailing is complete, the worm moves its file to the Recycle Bin and activates the installed backdoor (MSSTASK.EXE). Removal Instructions Windows 9x users should restart the system and scan with antivirus software updated after January 27th, 2002. Delete any files found infected with the MyParty worm unless reported in an email database file (locate the individual email and delete it instead). Windows NT/2000/XP users should first open Task Manager (press CTRL and ALT keys, hold them down and press the DEL key, then select Task Manager). Select Processes, locate MSSTASK.EXE, right-click the name and choose End Process. Next, search your drive for any instances of MSSTASK.EXE and delete it. Finally, scan with antivirus software updated after January 27th, 2002. Delete any files found infected with the MyParty worm unless reported in an email database file (locate the individual email and delete it instead). SOURCE: Mary Landesman - Antivirus About Site... http://antivirus.about.com/library/weekly/aa012702a.htm * * * ---------------------------------------------------------------------- To sign-off Parkinsn send a message to: mailto:[log in to unmask] In the body of the message put: signoff parkinsn