My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.MyLife.G@mm

LOW
HIGH
13724 bytes
(N/A)

Symptoms


- File "ox&Wife.scr" in the Windows System folder;
- The "OX" entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key, causing the file named above to be run at start-up:



Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the Ox key value from:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.MyLife.G@mm.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

This is another mass-mailer in the Win32.MyLife series, that spreads by e-mail to the user 's contacts. It was written in Visual Basic and packed using UPX.

It arrives as an attachment to an e-mail message in this format:

Subject: ox <--> sharon
Body:
Hi All,
look to the ox caricature it\'s very sad
ox <===> sharon
it's funny :-)
bye

Attachments are automatically scanned for viruses using MCAFEE.COM
========No Viruses Found========

Attachement:
"ox&Wife.scr" (size: ~ 13 KB)





When the user opens the attachment, the virus sends an e-mail message (with the virus body attached as described above) to all the user's contacts in the Address Book and the MSN Messenger contact list. It also drops a copy in the Windows System folder and registers it to be run each time the user logs on to Windows; eventually it displays the following picture:





The next time the virus is run, it will attempt to:
- overwrite the contents of files (that have the extension .jpeg, .rm, .ram, .mp3, .mp2, .doc, .xls, .ppt, .htm, .html, .wav, .php, .gif, .frm, .zip, .rar, .mpg, .mpeg, .asm, .txt, .pdf, .pps, .mdb, .rtf, .vbs, .js, .dbx or .avi) on mapped network drives with the text "my lIfE";
- delete all the data on hard-drive partitions (D:, E:, F:, G:, H:, I: and C:).

The following message box is displayed after the pay-load is activated:





The "message" of the virus and some texts within its body might indicate a possible connection to the author(s) of the Zacker (Win32.Zacker.A@mm, VBS.Zacker.C@mm, Win32.Zacker.D@mm, Win32.Zacker.F@mm) and Rezak (Win32.Rezak.A@mm) viruses.