- File "My Life.scr"
in the Windows System folder;
- The "stmgr"
entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key; the value of this entry refers the file named above:
Task Manager (which can be invoked by right-clicking the taskbar and selecting "Task Manager"
from the menu on Windows NT/2000/XP only) revealing a process called "My Life"
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the stmgr key value from:
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.MyLife.A@mm.
Bogdan Dragu BitDefender Virus Researcher
This virus is a mass mailer that uses the e-mail client Microsoft Outlook in order to send itself to all the user's contacts in the Address Book. It was written in Visual Basic and the executable is compressed using the UPX executable packer.
It comes attached to an e-mail message in the following format: Subject: my life ohhhhhhhhhhhh
h Attachement: "My Life.scr"
(size: ~ 30 KB) Body: Hiiiii
How are youuuuuuuu?
look to the digital picture it's my love
vvvery verrrry ffffunny :-)
my life = my car
my car = my house
The attachment's filename has an extension (".scr"
) that identifies it as an executable program for Windows (most Windows screen savers have that extension). When the user runs the virus (eg: by opening the attachement of the message), it will drop a copy of itself in the Windows System folder and use that copy to create attachments to the messages it sends to all the contacts in the user's Address Book:
The dropped copy of the virus will also be registered to run each time Windows is restarted (by the "infected" user), by creating the entry named above in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The virus will eventually display this picture:
The virus will not run unless the executable's name is "My Life.scr"
(this is due to poor Visual Basic programming); its code contains a section that seems to try to delete .com, .sys, .ini, .exe, .vxd
files from various folders (probably including the Windows and Windows System folders). These extensions usually belong to important system and application files and if these were deleted, Windows (and probably some Windows applications as well) would almost certainly have to be reinstalled. However, this version of the virus doesn't achieve this evil task.