Email-Worm.Win32.Myparty

Detect Date 01/29/2002
Class Email-Worm
Platform Win32
Description

This is a virus-worm that spreads via the Internet attached to infected

e-mail. The worm itself is a Windows PE EXE file about 30Kb in length

(compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++.

Infected messages appear as follows:

The worm activates from infected e-mail only when a user double-clicks on the attached

file. The worm then installs itself to the system and runs a spreading routine.

Installing

While installing, the worm copies itself to:

c:regctrl.exe – under Win9x/ME

c:recycledregctrl.exe – under WinNT/2K/XP

and spawns this copy. When the worm’s file name is not “.com” (as in the attachment),

but rather “.exe” (the worm is re-named), it also opens the Web page

“http://www.disney.com”.

The original file (as it was run from an infected e-mail) is moved to the Recylced or

Recycler directory with one of the following names:

C:RECYCLERF-%1-%2-%3

C:RECYCLEDF-%1-%2-%3

where %1, %2, %3 are randomly selected numbers, for example:

F-12158-19044-21300

F-27729-23255-31008

While installing, the worm checks the keyboard layouot set, and when there

is Russian keyboard support, the worm copies itself to Recycled/Recycler in the

same way and exits. This is the same on any date except for 25-29 January 2002.

As a result, the worm works only from 25 until 29 January 2002, and only on machines

without Russian keyboard support.

Spreading

To send infected messages, the worm uses a direct SMTP connection to an e-mail

server. To obtain a victim’s e-mail addresses, the worm scans WAB files (Windows

Address Book) and *.DBX files (Outlook Express).

The worm also sends one e-mail (without an attachment) to “napster@gala.net”.

Backdoor

Under WinNT/2000/… the worm also creates a new file in a user’s auto-run directory:

%Userprofile%Start MenuProgramsStartupmsstask.exe

and writes a backdoor program to there. This backdoor is run by data

that are stored in a file at the Web site “http://209.151.250.170”.

Known Variants

Myparty.b

This one is a slightly modified ‘a’ version. The differences are:

The attached file name is “myparty.photos.yahoo.com”.