...And I'll Cry if I Want To

By Jim Freund | Jan 31, 2002 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/965971/And-Ill-Cry-if-I-Want-To.htm

MyParty is the first pervasive virus written in the new year to make the rounds This particular worm doesn't hold any new threat or innovation that we haven't seen before, is fairly easy to contain and remove, but it is fairly infectious and like all such creatures, can be a nuisance if triggered. Its primary dangers are the usual mass mailing, and more significantly, a payload which includes a back door Trojan.

What to Look For
The virus is most commonly delivered as an e-mail that appears as follows:


Subject: new photos from my party!
Message:
Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com

The attachment name is part of the social engineering scheme at play. Some unsuspecting users will associate the extension with an URL, but of course .COM signifies an executable, which will infect the machine if launched.

The Payload
The first part of the payload is already passé. From the dates January 25-29, 2002, the program will attempt to send mail to everyone in your Outlook and Windows address books. An e-mail is also sent to napster@gala.net, presumably for the author(s) to track its course. This may also include the user's default SMTP server, which will have been gleaned from the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 on NT-based systems.

Outside of the infection itself, this is not much to worry about, though doubtless some slow e-mail systems or mis-set clocks will provide a straggler or two.

More insidiously, on Windows 2000, NT, and XP systems, on those same dates, the worm can copy itself to the c:\recycled folder as f-[random number]- [random number]- [random number]. (No extension.) In some variants, it may be copied as c:\recycled\regctrl.exe. Outside of January 25-29, the worm will not stay completely dormant, however. It will instead copy itself to c:\regctrl.exe, and place msstask.exe in the startup folder. This file is a Trojan know as BackDoor, and has several variants. In this case once running it will try to connect to http://209.151.250.170 in an attempt to download the command file and take control of the infected machine.

There are some different variants to MyParty which have slightly different behavior patterns outside of the trigger dates. Some remain dormant, but some are deadly. It is best to be vigilant.

Removal
On Windows 9x/ME, start the computer in Safe mode. If running NT/2K/XP, press [Ctrl][Alt][Del] and select Task Manager | Processes. Look to see if msstask.exe is running (and be sure it's not mstask.exe -- a legit Windows program) and if so, end the process.

Now, using your preferred (updated!) anti-virus software, scan the complete system and let it cleanse the machine.

Prevention
As always, make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and be sure to educate your users about attachments. (For more discussion on that topic, see Dealing With Network Security Scofflaws.)

Interestingly, the virus will remain mostly dormant if your keyboard settings are set to Russian characters, so one other (but less productive) protection would be to get out your language translation book...

Ne pooha ne perha! (Good luck!)

--
Jim Freund is the Managing Editor of CrossNodes.