- File "ox&Wife.scr"
in the Windows System folder;
- The "OX"
entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key, causing the file named above to be run at start-up:
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the Ox key value from:
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.MyLife.G@mm.
Bogdan Dragu BitDefender Virus Researcher
This is another mass-mailer in the Win32.MyLife series, that spreads by e-mail to the user 's contacts. It was written in Visual Basic and packed using UPX.
It arrives as an attachment to an e-mail message in this format: Subject: ox <--> sharon Body: Hi All,
look to the ox caricature it\'s very sad
ox <===> sharon
it's funny :-)
Attachments are automatically scanned for viruses using MCAFEE.COM
========No Viruses Found========
(size: ~ 13 KB)
When the user opens the attachment, the virus sends an e-mail message (with the virus body attached as described above) to all the user's contacts in the Address Book and the MSN Messenger contact list. It also drops a copy in the Windows System folder and registers it to be run each time the user logs on to Windows; eventually it displays the following picture:
The next time the virus is run, it will attempt to:
- overwrite the contents of files (that have the extension .jpeg, .rm, .ram, .mp3, .mp2, .doc, .xls, .ppt, .htm, .html, .wav, .php, .gif, .frm, .zip, .rar, .mpg, .mpeg, .asm, .txt, .pdf, .pps, .mdb, .rtf, .vbs, .js, .dbx
) on mapped network drives with the text "my lIfE";
- delete all the data on hard-drive partitions (D:, E:, F:, G:, H:, I: and C:).
The following message box is displayed after the pay-load is activated:
The "message" of the virus and some texts within its body might indicate a possible connection to the author(s) of the Zacker (Win32.Zacker.A@mm, VBS.Zacker.C@mm, Win32.Zacker.D@mm, Win32.Zacker.F@mm) and Rezak (Win32.Rezak.A@mm) viruses.