THIS IS REAL. It's spreading like crazy too. I am sys admin for a web hosting firm & i've seen alot of it in the past few days. ----- Original Message ----- From: "Edwin Jeffords" <[EMAIL PROTECTED]> To: "'NDB'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, January 29, 2002 6:38 PM Subject: RE: [etrade] VIRUS alert....I hate these things but its real
> I got this virus this morning, but Norton saved my computer from letting > me open it...IT IS REAL > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of NDB > Sent: Tuesday, January 29, 2002 6:33 PM > To: etree > Cc: etrade > Subject: [etrade] VIRUS alert....I hate these things but its real > > If I had not rec'd three infected emails in the last 10 mins I would say > BULLSHIT to the virus alert.....but I have rec'd three emails and the > were > all the same virus from different people on THIS LIST! > > Here is the dealio: > > Virus Name: W32/Myparty.a@MM > Risk Assessment: Medium > Origin: Russia > Length: 29,696 bytes > Type: Virus > SubType: E-mail > DAT Required: 4184 > Virus Characteristics: > Due to the number of samples AVERT received Sunday night, an EXTRA.DAT > has > been posted. AVERT continues to monitor the prevalence of this threat. > This mass-mailing worm drops a BackDoor trojan (BackDoor-AAF) on > WindowsNT/2K/XP system. The worm itself carries no destructive payloads. > It > arrives in an email message containing the following information: > Subject: new photos from my party! > Body: Hello! > My party... It was absolutely amazing! > I have attached my web page with new photos! > If you can please make color prints of my photos. Thanks! > Attachment: www.myparty.yahoo.com (29,696 byte PE file) > The attachment name may trick some users into thinking that if they > click on > the file, they will be taken to a Yahoo website. Certain email clients, > especially those that underline the filename, may make this attachment > appear more like a URL than the above Microsoft Outlook example which is > more clearly distinguishable. The attachment is an executable file with > a > .COM extension, not a URL. Running the attachment infects the local > machine. > On Windows9x/ME > If the date is between January 25-29, 2002, the virus copies itself to > C:\Recycled\regctrl.exe and executes that file. > On WinNT/2K/XP > If the date is not between January 25-29, 2002, the worm copies itself > to > C:\Recycled as F-[random number]-[random number]-[random number] with no > extension > If the date is between January 25-29, 2002, the worm copies itself to > C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. > MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is > deleted. If the executables filename is ACCESS, the user is directed to > the > www.disney.com website. > This virus only attempts to massmail itself on January 25, 26, 27, 28 or > 29, > 2002. The users default SMTP server is retrieved from the registry. > HKEY_CURRENT_USER\Software\Microsoft\Internet Account > Manager\Accounts\00000001 > The virus uses this SMTP server to send itself out to all addresses > found in > the Windows Address Book and addresses found within .DBX files. > Indications Of Infection: > Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from > within Windows) > Presence of C:\REGCTRL.EXE > Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe > Method Of Infection: > Executing an infected attachment causes the worm to email itself to > addresses found on the system. > Removal Instructions: > --- Update 1/28/2002 --- > This EXTRA.DAT is the 2nd release, to include detection for the .B > variant, > as well as the dropped BackDoor. > The following EXTRA.DAT packages are available. > EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, > NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common > Files\Network > Associates\VirusScan Engine\4.0.xx) > SUPER EXTRA.DAT - self installs > Detection is included in our DAILY DAT (beta) files and will also be > included in the next weekly DAT release. In addition to the DAT version > requirements for detection, the specified engine version (or greater) > must > also be used. > Additional Windows ME Info: > NOTE: Windows ME utilizes a backup utility that backs up selected files > automatically to the C:\_Restore folder. This means that an infected > file > could be stored there as a backup file, and VirusScan will be unable to > delete these files. These instructions explain how to remove the > infected > files from the C:\_Restore folder. > Disabling the Restore Utility > 1. Right click the My Computer icon on the Desktop, and choose > Properties. > 2. Click on the Performance Tab. > 3. Click on the File System button. > 4. Click on the Troubleshooting Tab. > 5. Put a check mark next to "Disable System Restore". > 6. Click the Apply button. > 7. Click the Close button. > 8. Click the Close button again. > 9. You will be prompted to restart the computer. Click Yes. > NOTE: The Restore Utility will now be disabled. > 10. Restart the computer in Safe Mode. > 11. Run a scan with VirusScan to delete all infected files, or browse > the > file's located in the C:\_Restore folder and remove the file's. > 12. After removing the desired files, restart the computer normally. > NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 > remove the check mark next to "Disable System Restore". The infected > file's > are removed and the System Restore is once again active. > Aliases: > I-Worm.Myparty (AVP), MyParty (F-Secure), W32.Myparty@mm (NAV), > W32/MyParty-A (Sophos), W32/Myparty@MM , W32/Myparty@MM (Panda), > Win32.MyParty (CA), Win32.MyParty.A (AVX), WORM_MYPARTY.A (Trend) > Variants: > Name Type Sub Type Differences > W32/Myparty.b@MM Virus Win32 - Only spreads between January 20 - 24, > 2002 > - Attachment name: myparty.photos.yahoo.com (28,160 bytes) > Related Viruses: > BackDoor-AAF > _______________________________________________ > etrade mailing list <[EMAIL PROTECTED]> > http://mail.etree.org/mailman/listinfo/etrade > _______________________________________________ > etrade mailing list <[EMAIL PROTECTED]> > http://mail.etree.org/mailman/listinfo/etrade _______________________________________________ etrade mailing list <[EMAIL PROTECTED]> http://mail.etree.org/mailman/listinfo/etrade
