...And I'll Cry if I Want To

It's MyParty -- the first pervasive virus written in the new year to make the rounds. While the trigger date has passed, the Trojan/worm can still cause quite a hangover if you're not prepared. We tell you what to look for, what the symptoms are, what the payload will do, and how to remove the malicious program from your system.

By  Jim Freund | Jan 31, 2002
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

MyParty is the first pervasive virus written in the new year to make the rounds This particular worm doesn't hold any new threat or innovation that we haven't seen before, is fairly easy to contain and remove, but it is fairly infectious and like all such creatures, can be a nuisance if triggered. Its primary dangers are the usual mass mailing, and more significantly, a payload which includes a back door Trojan.

What to Look For
The virus is most commonly delivered as an e-mail that appears as follows:

Subject: new photos from my party!
Message:
Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com

The attachment name is part of the social engineering scheme at play. Some unsuspecting users will associate the extension with an URL, but of course .COM signifies an executable, which will infect the machine if launched.

The Payload
The first part of the payload is already passé. From the dates January 25-29, 2002, the program will attempt to send mail to everyone in your Outlook and Windows address books. An e-mail is also sent to napster@gala.net, presumably for the author(s) to track its course. This may also include the user's default SMTP server, which will have been gleaned from the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 on NT-based systems.

Outside of the infection itself, this is not much to worry about, though doubtless some slow e-mail systems or mis-set clocks will provide a straggler or two.

More insidiously, on Windows 2000, NT, and XP systems, on those same dates, the worm can copy itself to the c:\recycled folder as f-[random number]- [random number]- [random number]. (No extension.) In some variants, it may be copied as c:\recycled\regctrl.exe. Outside of January 25-29, the worm will not stay completely dormant, however. It will instead copy itself to c:\regctrl.exe, and place msstask.exe in the startup folder. This file is a Trojan know as BackDoor, and has several variants. In this case once running it will try to connect to http://209.151.250.170 in an attempt to download the command file and take control of the infected machine.

There are some different variants to MyParty which have slightly different behavior patterns outside of the trigger dates. Some remain dormant, but some are deadly. It is best to be vigilant.

jfreund@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >