W32/Myparty.A@mm is an e-mail worm written in C++ and spreads via infected attachment to e-mail messages. The infected message's characteristics are the following:
Subject: new photos from my party!
Attachments name: www.myparty.yahoo.com
Message body:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
The name of the attachment hints that it is a link to a webpage, but it is not. It is an executable file with the .COM ending. Some e-mail clients may in fact display it as being an URL, and users of those e-mail client should be especially alert to this attachment.
W32/Myparty.A@mm is designed to only spread between the 25th and 29th of January. If it find that the date is something else it moves itself to:
C:\Recycled-F-[random digits]-[random digits]-[random digits]
and shuts down. If the date is appropriate it continues it operation without delay. W32/Myparty.A@mm also shuts down if it finds that the keyboard layout setting is Russian.
If these requirements are met it copies itself as: REGCTRL.EXE, to the recycle bin directory if the operating system is Windows 9x but to the C: directory if it the infected machine is running on NT/2000/XP. It then executes the .EXE file to start its operations.
W32/Myparty.A@mm drops in addition a Trojan backdoor on infected systems running Windows NT/2000/XP. This Trojan connects to a certain webpage allowing control to be taken of the infected machine.
The worm finally sends a message to a certain e-mail address, allowing someone, probably its creator, to keep track of the worm's spread.
W32/Myparty.A@mm is detected by F-Prot Antivirus™ using the virus signature files since January 28th or newer. | 