...And I'll Cry if I Want To
It's MyParty -- the first pervasive virus written in the new year to make the rounds. While the trigger date has passed, the Trojan/worm can still cause quite a hangover if you're not prepared. We tell you what to look for, what the symptoms are, what the payload will do, and how to remove the malicious program from your system.
MyParty is the first pervasive virus written in the new year to make the rounds This particular worm doesn't hold any new threat or innovation that we haven't seen before, is fairly easy to contain and remove, but it is fairly infectious and like all such creatures, can be a nuisance if triggered. Its primary dangers are the usual mass mailing, and more significantly, a payload which includes a back door Trojan.
What to Look For
The virus is most commonly delivered as an e-mail that appears as follows:
Subject: new photos from my party! Message: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com
The attachment name is part of the social engineering scheme at play. Some unsuspecting users will associate the extension with an URL, but of course .COM signifies an executable, which will infect the machine if launched.
The first part of the payload is already passé. From the dates January 25-29, 2002, the program will attempt to send mail to everyone in your Outlook and Windows address books. An e-mail is also sent to firstname.lastname@example.org, presumably for the author(s) to track its course. This may also include the user's default SMTP server, which will have been gleaned from the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 on NT-based systems.
Outside of the infection itself, this is not much to worry about, though doubtless some slow e-mail systems or mis-set clocks will provide a straggler or two.
More insidiously, on Windows 2000, NT, and XP systems, on those same dates, the worm can copy itself to the c:\recycled folder as f-[random number]- [random number]- [random number]. (No extension.) In some variants, it may be copied as c:\recycled\regctrl.exe. Outside of January 25-29, the worm will not stay completely dormant, however. It will instead copy itself to c:\regctrl.exe, and place msstask.exe in the startup folder. This file is a Trojan know as BackDoor, and has several variants. In this case once running it will try to connect to http://220.127.116.11 in an attempt to download the command file and take control of the infected machine.
There are some different variants to MyParty which have slightly different behavior patterns outside of the trigger dates. Some remain dormant, but some are deadly. It is best to be vigilant.