FRISK Software International


Summary of W32/Myparty.A@mm
Alias:Myparty, W32.Myparty.
Length: approx 29KB
Discovered: 28 Jan 2002
Definition files: 28 Jan 2002
Risk Level: Medium
Distribution:Medium
Infection Method: Mass mailing.
 
Jump to:
Brief description
Technical description

Brief Description

Myparty is a mass-mailer using its own SMTP engine to spread copies of itself. It harvests the address books used by Microsoft Outlook and Microsoft Outlook Express for e-mail addresses, as well as the mail folders of Outlook Express. W32/Myparty.A@mm then sends copies of itself to the e-mail addresses found.



Technical Description

W32/Myparty.A@mm is an e-mail worm written in C++ and spreads via infected attachment to e-mail messages. The infected message's characteristics are the following:

Subject: new photos from my party!

Attachments name: www.myparty.yahoo.com

Message body:

  Hello!

  My party... It was absolutely amazing!
  I have attached my web page with new photos!
  If you can please make color prints of my photos. Thanks!

The name of the attachment hints that it is a link to a webpage, but it is not. It is an executable file with the .COM ending. Some e-mail clients may in fact display it as being an URL, and users of those e-mail client should be especially alert to this attachment.

W32/Myparty.A@mm is designed to only spread between the 25th and 29th of January. If it find that the date is something else it moves itself to:

C:\Recycled-F-[random digits]-[random digits]-[random digits]

and shuts down. If the date is appropriate it continues it operation without delay. W32/Myparty.A@mm also shuts down if it finds that the keyboard layout setting is Russian.

If these requirements are met it copies itself as: REGCTRL.EXE, to the recycle bin directory if the operating system is Windows 9x but to the C: directory if it the infected machine is running on NT/2000/XP. It then executes the .EXE file to start its operations.

W32/Myparty.A@mm drops in addition a Trojan backdoor on infected systems running Windows NT/2000/XP. This Trojan connects to a certain webpage allowing control to be taken of the infected machine.

The worm finally sends a message to a certain e-mail address, allowing someone, probably its creator, to keep track of the worm's spread.

W32/Myparty.A@mm is detected by F-Prot Antivirus™ using the virus signature files since January 28th or newer.



FRISK Software International's Viruslab Team
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is