Win32.Myparty.A@mm( W32/Myparty@mm )
SYMPTOMS: - Files F-x-x-x-x.exe in C:\\Recycled (x is a random number)- File: regctrl.exe in C:\\ or in C:\\Recycled - File msstask.exe in \\StartUp menu TECHNICAL DESCRIPTION: It arrives in the following format:Subject: New photos from my party! Body: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com When the user executes the attachment the worm checks its own name for some string patterns. If its name contains ACCESS it will copies itself in C:\\RECYCLED or in C:\\ with the name regctrl.exe. If its name contains COM it will execute the regctrl.exe and if the name contains EXE it will start the e-mail spreading routine. If something goes wrong or the date is not between 01-25-2002 and 01-29-2002 it will try to rename itself in C:\\RECYCLED with a random name in the following format: F-x-x-x-x.exe where x is a random number. If everything was ok it will drop a Trojan in StartUp folder with the name msstask.exe The worm only works between 01-25-2002 and 01-29-2002. The worm searches for e-mail addresses in Outlook Express e-mail box and in all .dbx files it finds in My Documents folder. Then it sends itself to all those addresses and for each infected e-mail it sends another one at the address: napster@gala.net Removal instructions: Important: You will have to close all applications before running thetool (including the antivirus shields) and to restart the computer afterwards. Additionally you\'ll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender AntiMyparty tool does the following: - it deletes the files created by Win32.Myparty.A@mm - it kills the process from memory; - it repairs the Windows registry. ANALYZED BY: Sorin Victor DudeaBitDefender Virus Researcher |