Party' Worm Is No Party
By Michael Singer
A brand new worm slithering through the Web along Microsoft Outlook e-mail accounts promises a good time, but delivers a hangover.
Anti-virus experts with Anti-Virus Emergency Response Team (AVERT), the anti-virus research division of Network Associates (NASDAQ:NETA), Sunday identified the virus as W32/Myparty@MM or "MyParty" as a medium risk.
The mass-mailing worm arrives in an e-mail message with the Subject reading "new photos from my party!" and the body of the message saying:
The attachment line www.myparty.yahoo.com looks like a Web site URL but in actuality is a 29,696 byte PE file that, when launched, copies itself to C:\Recycled\regctrl.exe and executes that file. The users default SMTP server is retrieved from the registry. The virus then uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.
The other problem is that the virus leaves a back-door Trojan that could leave computers open for denial of service attacks and other security breaches.
"The good news is that people in much of North America and the West have gotten the message this morning and so we're not seeing much of an impact here," says AVERT researcher April Goostree.
This virus only attempts to mass-mail itself if the calendar is showing 25, 26, 27, 28 or 29 January 2002. AVERT says there is also a variant which was only capable of spreading between 20 and 24 January 2002. On computers with correct calendar setting this variant would not replicate now.
Helsinki, Finland-based F-Secure Anti Virus says the worm was created in Russia and it will not infect computers in Russia at all.
The "My Party" e-mail worm is an example of a "reverse social engineering" virus. Reverse social engineering viruses do not rely on sensational subject lines, such as AnnaKournikova or Naked Wife, to tempt users. Instead, reverse social engineering viruses use innocuous sounding subject lines and realistic attachment names. "As users very rarely e-mail COM format executables to each other, system administrators can easily defend against attacks of this type by filtering all e-mail attachments with an extension of .COM at firewall or e-mail gateway", says F-Secure manager Mikko Hypponen.
You know a computer has been infected if you can see C:\RECYCLED\REGCTRL.EXE from a DOS prompt, not from within Windows.
If you are using Windows ME, the OS utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and a virus scan might be unable to delete these files.
As with all other warnings, anti-virus experts say you should always be wary of attachments in your e-mail unless you are expecting it from the sender. And even then, you might want to consider calling the sender if you still are not sure.