Virus Profile: W32/Myparty.a@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/27/2002
Date Added: 1/27/2002
Origin: Russia
Length: 29,696 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4184
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from within Windows)
  • Presence of C:\REGCTRL.EXE
  • Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe

    • Methods of Infection

    Executing an infected attachment causes the worm to email itself to addresses found on the system.

    Aliases

    I-Worm.Myparty (AVP), MyParty (F-Secure), W32.Myparty@mm (NAV), W32/MyParty-A (Sophos), W32/Myparty@MM , W32/Myparty@MM (Panda), Win32.MyParty (CA), Win32.MyParty.A (AVX), WORM_MYPARTY.A (Trend)

    Related Viruses

    BackDoor-FB.svr.gen
       

    Virus Characteristics

    This mass-mailing worm drops a BackDoor trojan (BackDoor-FB.svr.gen) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:

    Subject: new photos from my party!
    Body: Hello!

    My party... It was absolutely amazing!
    I have attached my web page with new photos!
    If you can please make color prints of my photos. Thanks!

    Attachment: www.myparty.yahoo.com (29,696 byte PE file)

    The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL than the above Microsoft Outlook example which is more clearly distinguishable. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine.

    On Windows9x/ME

    • If the date is between January 25-29, 2002, the virus copies itself to C:\Recycled\regctrl.exe and executes that file.

    On WinNT/2K/XP

    • If the date is not between January 25-29, 2002, the worm copies itself to C:\Recycled as F-[random number]-[random number]-[random number] with no extension
    • If the date is between January 25-29, 2002, the worm copies itself to C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website.
    This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002. The users default SMTP server is retrieved from the registry.

    • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

    The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.

    Variants

    Variants information
    Virus Name Type Subtype Differences
    W32/Myparty.b@MM Virus Win32 - Only spreads between January 20 - 24, 2002
    - Attachment name: myparty.photos.yahoo.com (28,160 bytes)
       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations