My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.MyLife.B@mm

LOW
LOW
11524 bytes (~ 49 KB when unpacked)
(W32/Caric.A@mm)

Symptoms

- File "cari.scr" in the Windows System folder;
- The "win" entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key; the value of this entry refers the file named above:







- Task Manager (which can be invoked by right-clicking the taskbar and selecting "Task Manager" from the menu only on Windows NT/2000/XP) revealing a process called "caricature.scr" running:



Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the win key value from:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.MyLife.B@mm.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

This new version of Win32.MyLife.A@mm is also a mass mailer for Microsoft Outlook, written in Visual Basic and packed using UPX.

It arrives as an attachment to an e-mail message in this format:

Subject: bill caricature

Attachement: "cari.scr" (size: ~ 12 KB)

Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it\'s vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy

========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------








The attachment's filename has an executable extension (".scr") that is typical to Windows screen?savers. When the user runs the virus, it drops a copy of itself in the Windows System folder and sends e?mail messages in the format described above to all the user\'s contacts in the Address Book.

The dropped copy of the virus will also be registered to run each time Windows is restarted (by that user), by creating the "win" entry in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

The virus will eventually display this picture:



Its code contains a section that tries to delete the following files/folders: c:\*.*, *.sys, *.vxd, *.ocx, *.nls, d:\*.*, e:\*.*, f:\*.*, but fails.