Virus Profile: W32/Mypics.worm.25600

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 12/14/1999
Date Added: 12/14/1999
Origin: N/A
Length: N/A
Type: Virus
Subtype: Worm
DAT Required: 4057
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Existence of this file on the local system - modifications to the system registry as mentioned above - email mailings as mentioned above.

Methods of Infection

Running the executable will directly copy itself and run the mailing routine.


I-Worm.MyPics.c, W32.Video.25600.Worm, W32/Mypics.worm.gen, Win32/Video.worm

Virus Characteristics

This worm was written in Visual Basic 5.0 and it is a minor variant to the earlier discovered W32/Mypics.worm. This worm also has a reliance on the library file MSVBVM50.DLL. Without this file, the program will error. This file will copy itself to the local machine as C:\zip01.exe and register itself to run from the registry at system startup from either of these locations, depending on if the operating system is Windows 9x or NT:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Agent5 = c:\zip01.exe

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Run Agent5 = c:\zip01.exe

While the file runs as a task in memory, it is performing two functions. One function is to spread via an email routine while the other is a monitor for the system clock to reach the 17th of any month and activate the destructive file deletion routine. This worm has also disabled the "CTRL-ALT-DEL" option to bring up the task list to avoid closing the task. The best method to start Windows without the task is to start in safe mode.

This worm uses MS Outlook email for distribution, if executed, using email recipients listed in the Outlook address book. Emails created by this worm contain no subject line, and only the message as listed below - the email message has the attached file "Video.exe" with a size of 25,600 bytes:

Here's a digital video for you

The icon of the email attachment resembles Winzip. The file is not a Winzip file however. Winzip when installed by default will add a shell extension to the right-mouse click. If you right-mouse click on true zip archive files, you will have an option to open the file using Winzip.

If MS Outlook is logged off and closed for at least 10 minutes then logged back on, the email routine is activated again. In AVERT testing on a Windows 95 client with MS Outlook installed and only using the "Personal Address Boo

Use recommended engine and DAT files for detection. Removal is a manual process if PSAPI.DLL is not available on the Windows installation directory. To manually remove this worm, start Windows in safe mode and then delete the file ZIP01.EXE in the root of the hard drive. Remove the reference to it in the system registry also.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!