| Name | Win32.Myparty |
| Threat Level |  |
| Alias | MYPARTY, W32.Myparty@mm, WORM_MYPARTY.A, MYPARTY.A |
| Date | 29 January, 2002 |
| Type | Win32, Trojan, Worm |
| Damage | Send Email |
| Platform | 95, 98, ME, NT, 2000 |
| Analysis |
This vandal arrives as an email with an attached file that masquerades as a link to a Web site. The writers of this vandal have taken advantage of the fact that many people will be tempted to run this file because it looks like a normal name of a Web site with the .com ending in the URL, however in this case the name of the file www.myparty.yahoo.com is composed of www.myparty.yahoo and the extension .com which means it is an executable file.
The arriving email will have the following characteristics:
Subject: new photos from my party!
Message body:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos.
Thanks!
Attached file: www.myparty.yahoo.com (notice this is a file with a COM extension and not a link to a Web page)
Malicious Activity
1. When the arriving attached file is executed it attempts to send copies of itself to addresses in the Windows address book and Outlook Express .DBX files (database). It uses its own SMTP engine to connect to the default SMTP server.
2. It copies itself to C:\Recycled\REGCTRL.EXE or C:\REGCTRL.EXE (on Windows NT and 2000).
3. On Windows NT and 2000 systems it can drop a backdoor Trojan recognized as Win32.Myparty.backdoor under the name MSSTASK.EXE (not to be confused with MSTASK.EXE).
Removal
1. Using the task manager (CTRL+ALT+DELETE) find and stop the MSSTASK.EXE process.
2. Search your drive for the files REGCTRL.EXE and MSSTASK.EXE. Remove them if found.
3. It is recommended to use eSafe Desktop to scan and remove this vandal.
eSafe Users
eSafe Desktop and Enterprise users are protected from this vandal with Sandbox II and System Protector.
eSafe Gateway and eSafe Mail users are advised to add the file name www.myparty.yahoo.com to the "Known vandals" list. This was also added automatically in the eSafe Proactive lists update. You can use the "Update now" button in the administrators menu. If the option to "Update lists" is checked, this list update is done automatically.
eSafe Gateway and eSafe Mail users are also advised to use the SmartScript filtering to remove malicious scripts from email.
A new vandal/virus update is available.
Update version: EV105-SV112
Update date: January 29, 2001
eSafe Enterprise, Desktop, Gateway 2.1
An update is available from here.
eSafe Gateway 3.x and eSafe
You can use the "Update now" option from within the product eConsole.
New Users
More information about eSafe Content Security Products as well as trial versions are available from here.
|
