LHRIC > Technical Services > Virus Alert

	TECHNICAL SERVICES
	home \| search \| contact \| Virus Central
	Providing timely, reliable & cost-effective technical support

Virus Central - Detailed

Virus Information
Name:	W32/MyParty
Aliases:	W32/MyParty-A, W32/Myparty@mm, W32.Myparty@mm, WORM_MYPARTY.A, Win32.MyParty, I-Worm.Myparty
Type:	Trojan Horse, Worm
Discovery Date:	January 28, 2002
Detection:
Virus Description:	This is a new worm that sends itself to the Windows address book and the Outlook address book.The worm uses a static attachment name of "www.myparty.yahoo.com" Without the quotes) Users unwittingly double click on the attachment name thinking it is a URL. The worm uses a static Subject and message body. In addition, the worm sends a message to the author so that the author can track the worm. On NT/2000/XP systems, the worm drops a backdoor Trojan that allows a hacker to control your system. NAV will detect this as Backdoor.Myparty. Finally, if the file name of the worm is Access.<any extension>, it may launch your Web browser to http:/ /www.disney.com. However, the worm does not contain code which can generate a file with the name Access.<any extension>, so it is highly unlikely that this will trigger. (see Virus Effects)
E-mail Subject:	new photos from my party!
E-mail Body:	Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks!
Attachment:	The attachment is 29,696 bytes in size. It does not contain an icon, thus the icon appears to be an MS-DOS box/program in those mail clients that display the attachment's icon.

Virus Effects:

The worm has it's own SMTP engine and uses the SMTP settings found at this registry key to send itself: HKCU\Software\Microsoft\Internet AccountManager\Accounts\00000001

When it is executed, the worm first checks the date. If the computer date is not between January 25 to 29, 2002 or if the keyboard settings are set to Russian, the worm copies itself to:

C:\Recycled-F-<random digits>-<random digits>-<random digits>

and exits. Otherwise, the worm continues.

The worm next checks its own file name, and performs different actions depending on the file name or extension:

If the file name is "Access" the worm attempts to launch your Web browser to http:/
/www.disney.com and exits. However, the worm does not contain code which can generate a
file with the name Access.<any extension>, so it is highly unlikely that this will trigger.
If the file name has a .com extension, the worm copies itself to one of the following locations:
C:\Regctrl.exe (Windows NT/2000/XP)
C:\Recycled\Regctrl.exe (Windows 95/98/Me).
and then executes the Regctrl.exe file.
If the file name has a .exe extension such as Regctrl.exe, the worm begins its propagation
routine:
1. The worm searches the Windows address book that is used by Microsoft Outlook
and Outlook Express, and through files with the extension .dbx in the Microsoft
Outlook Express folder for email addresses. (The .dbx files are Microsoft Outlook
Express folders and inboxes.)
2. The worm sends itself to these email addresses using its own SMTP engine. The
worm uses the default SMTP server address that is configured on the computer. The
From: address is set to your email address.
3. On Windows NT/2000/XP computers the worm creates a backdoor Trojan:

%Windows%\Start Menu\Programs\Startup\msstask.exe

so that it is executed when you start Windows. This backdoor trojan contacts a
Webpage at 209.151.250.170 which allows the author to have access to the computer.
Depending on the contents of the Webpage, the backdoor will perform different actions.

The worm also sends an e-mail to: napster@gala.net, possibly for the virus author to track it's spread.

Removal Instructions:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.

3. Run a full system scan.

4. Delete all files that are detected as W32.Myparty@mm or Backdoor.Myparty.