FRISK Software International

Summary of W32/Myparty.A@mm
Alias:Myparty, W32.Myparty.
Length: approx 29KB
Discovered: 28 Jan 2002
Definition files: 28 Jan 2002
Risk Level: Medium
Infection Method: Mass mailing.
Jump to:
Brief description
Technical description

Brief Description

Myparty is a mass-mailer using its own SMTP engine to spread copies of itself. It harvests the address books used by Microsoft Outlook and Microsoft Outlook Express for e-mail addresses, as well as the mail folders of Outlook Express. W32/Myparty.A@mm then sends copies of itself to the e-mail addresses found.

Technical Description

W32/Myparty.A@mm is an e-mail worm written in C++ and spreads via infected attachment to e-mail messages. The infected message's characteristics are the following:

Subject: new photos from my party!

Attachments name:

Message body:


  My party... It was absolutely amazing!
  I have attached my web page with new photos!
  If you can please make color prints of my photos. Thanks!

The name of the attachment hints that it is a link to a webpage, but it is not. It is an executable file with the .COM ending. Some e-mail clients may in fact display it as being an URL, and users of those e-mail client should be especially alert to this attachment.

W32/Myparty.A@mm is designed to only spread between the 25th and 29th of January. If it find that the date is something else it moves itself to:

C:\Recycled-F-[random digits]-[random digits]-[random digits]

and shuts down. If the date is appropriate it continues it operation without delay. W32/Myparty.A@mm also shuts down if it finds that the keyboard layout setting is Russian.

If these requirements are met it copies itself as: REGCTRL.EXE, to the recycle bin directory if the operating system is Windows 9x but to the C: directory if it the infected machine is running on NT/2000/XP. It then executes the .EXE file to start its operations.

W32/Myparty.A@mm drops in addition a Trojan backdoor on infected systems running Windows NT/2000/XP. This Trojan connects to a certain webpage allowing control to be taken of the infected machine.

The worm finally sends a message to a certain e-mail address, allowing someone, probably its creator, to keep track of the worm's spread.

W32/Myparty.A@mm is detected by F-Prot Antivirus™ using the virus signature files since January 28th or newer.

FRISK Software International's Viruslab Team

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)