A new worm called W32.Myparty@mm is currently propagating itself through the use of e-mail addresses in the Windows Address Book (WAB) and the Outlook Express Database (DBX). According to Trend Micro, the subject of the e-mail generated by this worm reads “new photos from my party!” and the message will contain an attachment called www.myparty.yahoo.com—a bogus URL that is not a valid format for a Yahoo Web site.
A news report from Newsbytes’ Moscow Bureau includes comments from Denis Zenkin at Kaspersky Labs indicating that his company sees a lot of users being tricked into clicking on the attachment because of its unusual name, which masquerades as a Web site rather than a file.
However, it really is a file, and that new naming convention is the most unique aspect of this worm. This worm may slip through many virus filters (at least the ones that don’t have the latest signatures) because few, if any, companies have their virus software set to filter .com files. This worm also has its own self-contained SMTP engine to propagate itself, which could also allow it to bypass some antivirus systems.
A dangerous payload is associated with this worm, according to Kaspersky Labs, which says that the worm also installs a back door on NT, XP, and Win2K systems. Symantec confirms this:
“On Windows NT/2000/XP computers, the worm creates a backdoor Trojan:
so that it is executed when you start Windows. This backdoor Trojan contacts a Web site at 220.127.116.11, which allows the author of the worm to have access to the local computer. Depending on the contents of the Web site, the back door will perform different actions.”
The worm has a built-in installation time limit of January 25–29. The trigger is good only for 2002.
The Symantec report on this worm indicates that the attachment size is 29,629 and that the threat is low despite the high distribution, but the same Web site has also identified a variant named W32.Myparty.B@mm with a file length of 28,160. A strange thing about this variant is that it has an earlier trigger date, Jan. 20–24, 2002.
Symantec’s Security Response Team says that the body of the message from this version of the worm reads:
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
This worm appears to have originated in Russia or one of the former Soviet republics because in addition to checking the date, it also checks to see whether Russian language support is enabled for the PC. It isn’t clear from early reports whether both conditions must exist or whether the MyParty worm activates if either condition exists. According to Symantec, if the PC’s internal clock date is outside the trigger dates, the worm copies itself to:
C:\Recycled-F-<random digits>-<random digits>-<random digits>
This is a rather strange attack since the worm wasn’t found in the wild until after the trigger date and doesn’t appear to have been launched until close to that date. Because it will trigger only in 2002, it seems a bit silly to record a copy on the attacked system, thus warning people they were vulnerable.
This may well have been released more as a script kiddie “class project” or some other sort of experiment. The worm sends a tracking message in the form of a blank e-mail, presumably to the author, at email@example.com.
Clearly, you never want a worm residing on your system because of the unpredictable nature of these little beasts. Thus, even if you are running Windows 9x (which is not susceptible to the back door), you need to update your antivirus software signature file to avoid getting this worm. You can use Trend Micro’s free virus scan link to check for the presence of the file on your systems.
Have you been hit by the MyParty worm?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.