| Description:
|
Details
I-Worm.MyLife.a
MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:
While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 30Kb.
Decompressed file size : about 55Kb.
Email content:
Subject:
my life ohhhhhhhhhhhhh
Body:
Hiiiii
How are youuuuuuuu?
look to the digital picture it's my love
vvvery verrrry ffffunny :-)
my life = my car
my car = my house
Attachment name:
"My Life.scr"
File name in the infected system:
"My Life.scr"
Affected registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
stmgr=%SystemDir%My Life.scr
%SystemDir% is the Windows System directory.
Visual effect:
When the worm is launched for the first time, it displays a window with a picture. When this window is closed, the worm runs the payload.
Payload:
MyLife checks the current date, if the current minute value is more than 45 it executes its payload routine:
It deletes files with the following extensions: .SYS and .COM in the C:root directory, files with the extensions .COM, .SYS, .INI, .EXE in the Windows directory and files with the extensions .SYS, .VXD, .EXE, .DLL in the Windows System directory. |
