If I had not rec'd three infected emails in the last 10 mins I would say BULLSHIT to the virus alert.....but I have rec'd three emails and the were all the same virus from different people on THIS LIST!
Here is the dealio: Virus Name: W32/Myparty.a@MM Risk Assessment: Medium Origin: Russia Length: 29,696 bytes Type: Virus SubType: E-mail DAT Required: 4184 Virus Characteristics: Due to the number of samples AVERT received Sunday night, an EXTRA.DAT has been posted. AVERT continues to monitor the prevalence of this threat. This mass-mailing worm drops a BackDoor trojan (BackDoor-AAF) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information: Subject: new photos from my party! Body: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com (29,696 byte PE file) The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL than the above Microsoft Outlook example which is more clearly distinguishable. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine. On Windows9x/ME If the date is between January 25-29, 2002, the virus copies itself to C:\Recycled\regctrl.exe and executes that file. On WinNT/2K/XP If the date is not between January 25-29, 2002, the worm copies itself to C:\Recycled as F-[random number]-[random number]-[random number] with no extension If the date is between January 25-29, 2002, the worm copies itself to C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website. This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002. The users default SMTP server is retrieved from the registry. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files. Indications Of Infection: Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from within Windows) Presence of C:\REGCTRL.EXE Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe Method Of Infection: Executing an infected attachment causes the worm to email itself to addresses found on the system. Removal Instructions: --- Update 1/28/2002 --- This EXTRA.DAT is the 2nd release, to include detection for the .B variant, as well as the dropped BackDoor. The following EXTRA.DAT packages are available. EXTRA.DAT - should be extracted to the same directory where CLEAN.DAT, NAMES.DAT, and SCAN.DAT are (typically C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx) SUPER EXTRA.DAT - self installs Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. Additional Windows ME Info: NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder. Disabling the Restore Utility 1. Right click the My Computer icon on the Desktop, and choose Properties. 2. Click on the Performance Tab. 3. Click on the File System button. 4. Click on the Troubleshooting Tab. 5. Put a check mark next to "Disable System Restore". 6. Click the Apply button. 7. Click the Close button. 8. Click the Close button again. 9. You will be prompted to restart the computer. Click Yes. NOTE: The Restore Utility will now be disabled. 10. Restart the computer in Safe Mode. 11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's. 12. After removing the desired files, restart the computer normally. NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active. Aliases: I-Worm.Myparty (AVP), MyParty (F-Secure), W32.Myparty@mm (NAV), W32/MyParty-A (Sophos), W32/Myparty@MM , W32/Myparty@MM (Panda), Win32.MyParty (CA), Win32.MyParty.A (AVX), WORM_MYPARTY.A (Trend) Variants: Name Type Sub Type Differences W32/Myparty.b@MM Virus Win32 - Only spreads between January 20 - 24, 2002 - Attachment name: myparty.photos.yahoo.com (28,160 bytes) Related Viruses: BackDoor-AAF _______________________________________________ etrade mailing list <[EMAIL PROTECTED]> http://mail.etree.org/mailman/listinfo/etrade
