HELLO EVERYONE: THIS IS NOT A HOAX THIS JUST HAPPENED TO ME ON JAN. 28th,
2002 READ PLEASE!!!
On the 28th I got an email from a genealogy cousin of the family. (Note he
did not know it was sent to me.) We both were victims of an EMAIL WORM: I
believe I have it taken care of now. (Not sure if it got past Norton's or
not???) But, I have taken every precaution make sure I don't have it. Let me
tell you about the pain in the rear this one can be.......
From all that I have read it is not destructive it just cabbages onto
everyone's email address in your email book and emails them this worm. I
will put some hyper links below that you can go to and read about this worm.
So I hope that nobody has gotten this from me if so I'm sorry it happened
unknowingly to me cause I thought the cousin was sending me genealogy
pictures so I did not think it would end up being a worm. So sorry if this
got passed on. One key thing is if you did get this make sure NOT TO OPEN IT
DELETE IT AND RUN YOUR ANTIVIRUS PROGRAM IF IT'S NOT ALREADY DOING SO. ALSO
TO BE ON THE SAFE SIDE AOL HAD ADVISED ME TO DO THE ABOVE AND THEN CALL INTO
AOL AND CHECK AND MAKE SURE THERE HAS NOT BEEN ANY CHANGES TO MY BILLING
ACCOUNT AND TO ALSO CHANGE MY PASSWORD TO AOL JUST TO SAFEGUARD MYSELF FROM
MY ACCOUNT BEING ABUSED! I HAVE DONE THIS ALL.
SO IF YOU GOT AN EMAIL FROM ME SAYING IN THE Subject: new photos from my
party! with an Attachment:
www.myparty.yahoo.com
DON'T OPEN IT IT'S A WORM!!!!!!!!!!!!
Here are some names that this worm is called as well as other information
about the worm and various websites to get help with this worm or any other
virus for that matter!
Sorry if this was passed on was unknowingly done by me;
Donata
<A
HREF="http://www.rootsweb.com/~indelawa/county.htm">http://w...
This site gives the following info:
WORM_MYPARTY.A
MYPARTY.A
MYPARTY
W32.Myparty@mm
Here is a description of the email:
Subject: new photos from my party!
Message body:Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment:
www.myparty.yahoo.com
====================================================
NORTONS:
<A
HREF="http://securityresponse.symantec.com/">http://security...
or from the above page you can reach the next page which
has the following;
<A
HREF="http://securityresponse.symantec.com/avcenter/venc/data/pf/w32...
</A>
W32.Myparty@mm
Discovered on: January 26, 2002
Last Updated on: January 30, 2002 at 01:25:50 PM PST
W32.Myparty@mm is a mass-mailing email worm. It has the following
characteristics:
Subject: new photos from my party!
Message:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment:
www.myparty.yahoo.com
The worm sends email to all contacts in your Windows address book, and to
email addresses that it finds in the Outlook Express Inboxes and folders.
In addition, the worm sends a message to the author so that the author can
track the worm.
On NT/2000/XP systems, the worm drops a backdoor Trojan that allows a hacker
to control your system. NAV will detect this as Backdoor.Myparty.
Finally, if the file name of the worm is Access.<any extension>, it may
launch your Web browser to http:/ /www.disney.com. However, the worm does not
contain code which can generate a file with the name Access.<any extension>,
so it is highly unlikely that this will trigger.
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#aka&qu...
Known As:</A> W32/Myparty@MM, WORM_MYPARTY.A, W32/MyParty-A, Win32.MyParty,
I-Worm.Myparty
Type: <A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#trojan...
Horse</A>, <A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#worm&q...
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#length...
Length:</A> 29,696 bytes
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#defs&q...
Definitions:</A> January 28, 2002
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#assess...
Assessment:</A>
<A
HREF="http://www.symantec.com/avcenter/refa.html#Wild">Wild&...;:
Medium
<A
HREF="http://www.symantec.com/avcenter/refa.html#Damage">Dam...;:
Low
<A
HREF="http://www.symantec.com/avcenter/refa.html#Distribution"&...;:
High
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#Wild&q...
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#infect...
of infections:</A> More than 1000
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#sites&...
of sites:</A> More than 10
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#geo_di...
distribution:</A> High
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#contai...
containment:</A> Easy
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#remova...
Easy
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#Damage...
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#payloa...
Trigger:</A> January 25-29, 2002
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#payloa...
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#email&...
scale e-mailing:</A> Sends email to all contacts in your Windows
address book, and to email addresses that if finds in the Outlook Express
Inboxes and folders.
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#Distri...
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#subjec...
of email:</A> new photos from my party!
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#name&q... of
attachment:</A>
www.myparty.yahoo.com
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#size&q... of
attachment:</A> 29,696 bytes
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#tech&q...
description:</A>
W32.Myparty@mm arrives as an email with the following characteristics:
Subject: new photos from my party!
Message:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment:
www.myparty.yahoo.com
When it is executed, the worm first checks the date. If the computer date is
not between January 25 to 29, 2002 or if the keyboard settings are set to
Russian, the worm copies itself to:
C:\Recycled-F-<random digits>-<random digits>-<random digits>
and exits. Otherwise, the worm continues.
The worm next checks its own file name, and performs different actions
depending on the file name or extension:
If the file name is "Access" the worm attempts to launch your Web browser to
http:/ /www.disney.com and exits. However, the worm does not contain code
which can generate a file with the name Access.<any extension>, so it is
highly unlikely that this will trigger.
If the file name has a .com extension, the worm copies itself to one of the
following locations:
C:\Regctrl.exe (Windows NT/2000/XP)
C:\Recycled\Regctrl.exe (Windows 95/98/Me).
and then executes the Regctrl.exe file.
If the file name has a .exe extension such as Regctrl.exe, the worm begins
its propagation routine:1. The worm searches the Windows address book that is
used by Microsoft Outlook and Outlook Express, and through files with the
extension .dbx in the Microsoft Outlook Express folder for email addresses.
(The .dbx files are Microsoft Outlook Express folders and inboxes.)
2. The worm sends itself to these email addresses using its own SMTP engine.
The worm uses the default SMTP server address that is configured on the
computer. The From: address is set to your email address.
3. On Windows NT/2000/XP computers the worm creates a backdoor Trojan:
%Windows%\Profiles\%User_name%\Start Menu\Programs\Startup\msstask.exe
or
\Documents and Settings\%User_name%\Start Menu\Programs\Startup\msstask.exe
so that it is executed when you start Windows. This backdoor trojan contacts
a Webpage at 209.151.250.170 which allows the author to have access to the
computer. Depending on the contents of the Webpage, the backdoor will perform
different actions.
NOTES:
%Windows% is a variable. The worm locates the \Windows folder (by default
this is C:\Windows or C:\Winnt) and copies itself to that location
%User_name% is a variable. The worm locates the name of the currently
logged-on user, and uses that where indicated.
Finally, the worm sends a message to napster(a)gala.net, allowing the author to
track how far the worm has spread.
<A
HREF="http://securityresponse.symantec.com/avcenter/refa.html#remova...
instructions:</A>
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Do one of the following, depending on your operating system:
Windows 95/98/Me. Restart the computer in Safe mode. For instructions on how
to do this, read the document
<A
HREF="http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/19991...
to restart Windows 9x or Windows Me in Safe Mode</A>.
Windows NT/2000/XP. End task in the Msstask.exe process. To do this:1. Press
Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort the processes
alphabetically.
5. Scroll through the list and look for the following process:
Msstask.exe
CAUTION: This is not the same as Mstask.exe--note the single "s". Mstask.exe
is a legitimate Microsoft process. Do not end task on it.
6. If you find the file--you will only find it if the process is currently
running--click it and then click End Process.
7. Close the Task Manager.3. Start Norton AntiVirus (NAV), and make sure that
NAV is configured to scan all files. For instructions on how to do this, read
the document
<A
HREF="http://service1.symantec.com/SUPPORT/nav.nsf/docid/19991105132...
to configure Norton AntiVirus to scan all files</A>.
4. Run a full system scan.
5. Delete all files that are detected as W32.Myparty@mm or Backdoor.Myparty.
-----------------------------
Write-up by: Douglas Knowles and Eric Chien
====================================================
<A
HREF="http://www.symantec.com/downloads/">http://www.symante...
NORTONS:
> > >
Download the latest Certified
VirusDefinition for Norton AntiVirus. Ensure
your Norton AntiVirus product contains the most up-to-date detection and
prevention.
<A
HREF="http://securityresponse.symantec.com/avcenter/download.html&qu...
Definition Updates</A>
<A
HREF="http://securityresponse.symantec.com/avcenter/tools.list.html&...
Removal Tools</A>
<A
HREF="http://www.symantec.com/techsupp/subscribe/">Renew Live
U</A><A
HREF="http://www.symantec.com/techsupp/subscribe/">pdate
Subscription</A>
Download the latest Certified VirusDefinition for Norton
AntiVirus. Ensure
your Norton AntiVirus product contains the most up-to-date detection and
prevention. Download the latest Security Updates for Enterprise Security
Manager. Intruder Alert, NetProwler and NetRecon. Improve each product's
ability to detect, manage and prevent attacks.
<A
HREF="http://securityresponse.symantec.com/avcenter/download.html&qu...
Security Updates</A>
<A
HREF="http://securityresponse.symantec.com/avcenter/security/Vault.h...
Updates Vault</A>
===================================================