|
|
I-Worm.MyPics. Viruses Information
| Name: |
I-Worm.MyPics. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.MyPics.a
This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 35Kb in length, and written in VisualBasic. The worm is transferred via the Net in e-mail messages with an infected attachment; the "Pics4you.exe" EXE file. The infected messages have no subject, and the message body contains the following text:
Here's some pictures for you !
The worm seems to be based on the Melissa macro-virus-worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source (see also I-Worm.BadAss worm description).
When an infected message is received and the attached EXE file is executed, the worm gains control, stays in the Windows memory as an MYPICS application (visible in TaskList), and runs its infection and trigger routines.
The infection routine opens the Outlook database, obtains e-mail addresses from the Address Book, and sends infected messages to the addresses found. The worm does not send messages twice from the same computer. To avoid duplicate spreading, the worm creates a system registry key, and checks it upon each start:
HKEY_CURRENT_USERSoftwareMicrosoftOffice "jpgs2?" = "all by sfkwnty"
The worm also creates its copy in the root of C: drive with the name "C:Pics4You.exe" and registers it in the system registry in auto-run section:
SOFTWAREMicrosoftWindowsCurrentVersionRun "Creative" = "C:Pics4You.exe"
SOFTWAREMicrosoftWindowsNTCurrentVersionWindowsRun "Creative" = "C:Pics4You.exe"
The worm also changes the default Web page by modifying the system registry key:
SoftwareMicrosoftInternet ExplorerMain
"Start Page" = http://www.geocities.com/SiliconValley/Vista/8279/index.html
The worm has a very dangerous payload routine. In 2000, it overwrites the C:AUTOEXEC.BAT files with two commands that format C: and D: drives. The worm also creates and runs the C:CBIOS.COM file that corrupts CMOS memory (erases the CMOS CRC field).
Other MyPics variants
There are several variants of this worm known at the moment:
"MyPics.b" aka "ICQ_Greetings"
"MyPics.c" aka "Video"
These worms are based on the original "MyPics", and they are very likely written by using the same source code. The differences are as follows(the original "MyPics" tests are also included):
Infected message subject:
"MyPics.a": Here's some pictures for you !
"MyPics.b": Season's Greetings
"MyPics.c": Here's a digital video for you
The file name of the worm copy in the attachment and on the C: drive:
"MyPics.a": C:Pics4You.exe
"MyPics.b": c:Icq_Greetings.exe
"MyPics.c": C:Zip01.exe
Registry ID-key (HKEY_CURRENT_USERSoftwareMicrosoftOffice key):
"MyPics.a": "jpgs2?" = "... by sfkwnty"
"MyPics.b": "ppll1?" = "... by diejkdls"
"MyPics.c": "ppll1?" = "... by diejkdls"
The trigger routines are also different. "MyPics.b" resets the system settings:
"RegisteredOwner" = Mike Carmody
"RegisteredOrganization" = 2034 Langley Ct. Holloman Afb, NM 88330
"MyPics.b" in 2000 calls disk formatting instructions:
format d: /autotest /q /u
format e: /autotest /q /u
format a: /autotest /q /u
format f: /autotest /q /u
format u: /autotest /q /u
format b: /autotest /q /u
"MyPics.b" in 2000, and "MyPics.c" on the 17 of any month delete all files by the following masks:
c:*.c*
d:*.c*
c:WinNtSystem*.c*
c:WinNt4System*.c*
c:WindowsSystem*.c*
c:WinNtSystem*.o*
c:WinNt4System*.o*
c:WindowsSystem*.o*
c:WinNt*.i*
c:WinNt4*.i*
c:Windows*.i* |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Trojan.Win32.Cok
Bye.64
Dune.64
Macro.Word.Anti-IV
Kranty.25
DirII.1024.
VCS Famil
Nic
TrojanDropper.Win32.ExeStealth.2
Katvir.62
|
|
