(OT) FYI: **Virus Alert -- W32.Myparty**

[Guest guest]

 

It Announcements [iT-ANNOUNCE]On Behalf Of

ISC Provider Desk

Monday, January 28, 2002 10:25 AM

IT-ANNOUNCE

**Virus Alert -- W32.Myparty**

 

 

Folks --

 

This is an alert regarding W32.Myparty, a mass-mailing worm that has begun

spreading worldwide. This worm affects machines running Windows 95, 98,

ME, NT, 2000, and XP. The worm arrives via an email attachment named

" www.myparty. " , which, if executed, will email itself to all

entries in the user's Windows Address Book. The worm also emails itself to

all addresses found in the user's Outlook Express mailboxes (which have a

..dbx extension). There are conflicting reports regarding other possible

payloads of the virus, including the installation of a backdoor program;

updated information will be posted as soon as its available. Symantec has

released virus definitions dated 1/27/02 which will detect the virus.

 

There have been many reports of this virus on campus, so please be aware of

it.

 

Characteristics

---------------

 

The virus arrives in an email with the subject " new photos from my party! "

and the message body:

 

" Hello!

 

My party... It was absolutely amazing!

I have attached my web page with new photos!

If you can please make color prints of my photos. Thanks! "

 

The email will contain an attachment named " www.myparty.. " This

attachment may look like a website link in some email clients, but it is

really an executable file.

 

When the attachment is executed , the worm will do the following:

 

-- if the machine is running Windows 9x or ME, it will copy itself to the

Recycled Bin as REGCTRL.EXE. It will then email itself to all addresses

found in the user's Windows Address Book (file with a .wab extension), as

well as addresses found in all Outlook Express mailboxes (files with a .dbx

extension).

 

-- if the machine is running Windows NT, it will first copy itself to the

Startup directory (%windows%\profile\%username%\Start

Menu\Programs\Startup\MSSTASK.EXE -- where %windows% is the Windows install

directory, and %username% is the name of the user who is logged on when the

system is infected.) Therefore, the worm will be executed each time the

user logs on to the machine. It will then copy itself to the root drive as

REGCTRL.EXE. It next executes the mass-mailing routing described above.

Finally, it will copy to itself to the C:\Recycled and C:\Recycler

directories as a randomly generated filename.

 

-- if the machine is running Windows 2000 or XP, it will copy itself to the

Startup directory (%windows%\profile\%username%\Start

Menu\Programs\Startup\MSSTASK.EXE -- where %windows% is the Windows install

directory, and %username% is the name of the user who is logged on when the

system is infected. Therefore, the worm will be executed each time the

user logs on to the machine. It will then execute the mass-mailing routing

described above.

 

There are some reports from anti-virus vendors which claim that the worm

has additional payloads, such as installing a backdoor or launching a web

browser to www.disney.com. More information will be available when these

claims are confirmed.

 

Recovery

------------

 

Current information on recovery from W32.MyParty is:

 

-- if the system is running Windows NT, 2000 or XP, press Ctrl-Alt-Del and

stop the MSSTASK.EXE process (be sure to not stop the MSTASK.EXE process,

as this is a legitimate process required by Windows). Then delete the file

MSSTASK.EXE file from the user's Startup directory.

-- run LiveUpdate to install the 1/27/02 (or later) version of NAV virus

definition file

-- run a full system scan of the user's hard drive

-- delete all files detected as W32.MyParty@mm

 

Protection

-------------

 

Symantec has released definitions dated 1/27/02 which will detect the

virus. Instructions on how to update NAV definition files are located at:

 

http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html

 

Further information on the W32.Myparty worm can be found at:

 

http://www.sarc.com/avcenter/venc/data/w32.myparty (AT) mm (DOT) html

http://vil.nai.com/vil/content/v_99332.htm

http://www.europe.f-secure.com/v-descs/myparty.shtml

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYPARTY

..A

 

Updated info will be posted shortly to the Virus Alert Web Page:

 

www.upenn.edu/computing/help/doc/alert.

 

Please contact:

 

-- the Provider Desk at 573-4017 or prodesk@isc with questions regarding

virus repair or detection

-- the Virus Alert team at virus@isc with questions and reports of virus

infections

 

---

Bob Barron

Senior IT Support Specialist

ISC Provider Desk

prodesk