FRISK Software International


Summary of W32/MyLife
Alias:I-Worm.Mylife, Caric, Cari
Discovered: 7 Mar 2002
Definition files: 7 Mar 2002
 
Jump to:
Brief description
Technical description

Brief Description
Mylife is a simple mass-mailer written in Visual Basic and packed with UPX file compressor.


Technical Description

This worm usually arrives as an e-mail attachment named 'My Life.scr'. When a user clicks on the attachment the worm is activated. It shows a picture, installs itself to system (into Windows System folder) as My Life.scr and adds its startup key to the Registry. Here's the picture that the worm shows:

The worm sends itself to all recepients of an infected user's Outlook Address Book with the following message:

 From: name-of-infected-user
  To: random-name-from-address-book
  Subject: my life ohhhhhhhhhhhhh


  Hiiiii
  How are youuuuuuuu?
  look to the digital picture it's my love
  vvery verrrry ffffunny :-)
  my life = my car
  my car = my house


  Attachment: My Life.scr

The worm has a payload - it can delete files with the following extensions:

*.sys, *.com (from C:\ folder)
	*.com, *.sys, *.ini, *.exe (from Windows folder)
	*.sys, *.vxd, *.exe, *.dll (from Windows System folder)

The payload has a trigger - it checks if some variable is equal or bigger that 45 and activates if it is.

VARIANT: Mylife.B

This worm variant was found on 22nd of March 2002. It quickly spread to many areas in Asia and Australia.

The worm is a PE executable file written in Visual Basic and compressed with UPX file compressor.

The worm spreads via Outlook, sending itself to every address found from the address book. The worm also gets e-mail addresses from user's MSN Messenger database.

Messages sent by Mylife.B look like this:

From: name-of-infected-user
  To: random-name-from-address-book
  Subject: bill caricature
  Body:


  Hiiiii
  How are youuuuuuuu?
  look to bill caricature it's vvvery verrrry
  ffffunny :-) :-)
  i promise you will love it? ok
  buy
  ========No Viruse Found========
  MCAFEE.COM
  ----------------------------


Do note the poor attempt to make the e-mail look like it has been scanned by a gateway virus scanner on announced clean.

After user clicks on the attachment CARI.SCR, he will see an image on-screen.

After first activation the worm copies itself to Windows System directory as CARI.SCR and adds a startup key for its file to the Registry:

 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "win" = "%SysDir%\cari.scr"


Where %SysDir% is Windows System folder.

The worm has a payload. After spreading the worm can delete files with the following extensions:

 *.sys   (Windows directory)
 *.vxd, *.sys, *.ocx, *.nls (Windows System directory)

The worm also can delete all files from the following locations:

 c:\*.*  (root directory of c:\ drive)
 d:\*.*  (root directory of d:\ drive)
 e:\*.*  (root directory of e:\ drive)
 f:\*.*  (root directory of f:\ drive)

The payload is time-triggered and only works if hour value is equal to 8 and if the worm's file CARI.SCR is already present in Windows System directory.

The payload usually renders an infected system inoperable.

VARIANT: Mylife.F

Mylife.F worm was found in the wild on April 2nd, 2002. Largest infections currently in Australia and UK.

This variant is spreading in messages which look like this:

From: name-of-infected-user
        Subject: the list
        Body:


        Hiiiii
        How are youuuuuuuu?
        look to the notepad it's vvvery verrrry ffffunny :-) :-)
        i promise you will love it :-)
        Notepad = list
        list = 37
        buyyyy


        ========No Viruse Found========
                 MCAFEE.COM


        --------------------------------


        Attachment: List480.TXT.scr




[Analysis: Alexey Podrezov, Katrin Tocheva, Mikko Hypponen, Gergely Erdelyi; F-Secure Corp.; March 7-22, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is