| Description:
|
Details
I-Worm.MyLife.b
MyLife is a family of worms (different versions) spreading through the Internet as infected email attachments. The worms themselves are Windows PE EXE files, written in Visual Basic and compressed by the UPX file compression utility.
The worm is activated only if users click on the attachment. Once executed, MyLife installs itself into the system and runs its spreading routine.
When MyLife is launched for the first time it shows either a window with a picture or message, which one depends on the particular version.
Two possible MyLife pictures:
While installing this worm copies itself to the Windows System directory and registers this copy (file) in the system registry auto-run key.
MyLife uses Microsoft Outlook to send messages to all addresses found in the Microsoft Outlook Address Book.
File size : about 11Kb.
Decompressed file size : about 32Kb.
Email content:
Subject:
bill caricature
Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? Ok
buy
========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------
Attachment name: cari.scr
File name in the infected system:
%SystemDir%cari.scr
Affected registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
win=%SystemDir%cari.scr
Visual effect: when MyLife is launched for the first time, it displays a window with a picture. When this window is closed the worm runs its payload.
Payload: MyLife checks the current date, if the current hour value is equal to 8, the worm executes its payload routine:
MyLife deletes all files with the extensions .SYS in the Windows directory, files with the extensions .SYS, .VXD, .OCX, .NLS in the Windows System directory and all files in the C:, D:, E: and F: root directories. |
