Sam, > Does anyone know what this program is supposed to do? Is this a > new virus? I decoded it and then I scanned it with my anti-virus > software. It was not identified as a virus or a Trojan. I'm not > going to try to run this program because I have very good reason > to remain very suspicious of it.
As I mentioned a couple days ago on this list... about 1 hour after the post plus attachment appeard... it is an Internet worm, and if you click on it (which I advised people not to do... it will infect your computer, and remail itself to your address book. (see below) -wittig http://www.robertwittig.com/ "Never hold a dustbuster and a cat at the same time." -Kyoyo, age 11 -------------Below--------------- ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 28, 2002 6:59 AM Subject: Virus News: Not Everything Starting with 'www' and Ending in '.com' Is a Web Site > > Virus News. Monday, January 28, 2002 > ***************************************************************** * > > 1. Not Everything Starting with 'www' and Ending in '.com' Is a Web Site > 2. How to subscribe/unsubscribe > > **** > > 1. Not Everything Starting with 'www' and Ending in '.com' Is a Web Site > The Internet worm 'Myparty' poses as a Web-site link > > Kaspersky Labs, an international data-security software developer, > announces the detection of a new Internet worm going by the name of > Myparty that spreads via e-mail. At this time, several incidents of > infection by this malicious code have already been reported. > > The worm appears on a target computer as a file attached to an > e-mail message. The file is a Windows application about 30Kb in length, > it is written in Microsoft Visual C++, and is compressed in a UPX > utility. > > An infected message appears as follows: Subject: new photos from my > party! Body: Hello! My party... It was absolutely amazing! I have > attached my web page with new photos! If you can please make color > prints of my photos. Thanks! Attachment: www.myparty.yahoo.com > > As is apparent, the file carrier purposely poses as a Web-site > address. A user's trust is taken into account so that when > double-clicking on the enclosure, the said user ends up at some Internet > address. However, what actually occurs is that a malicious program is > activated upon enclosure opening. > > "This is definitely a new technique for manipulating a user that is > uniquely employed by 'Myparty' to have already caused a series of > infections. The rest of the program is a classic Internet worm that is > not differentiated from hundreds of similarly created Internet worms," > commented Denis Zenkin, Head of Corporate Communications for Kaspersky > Labs. "This occurrence once again confirms that not everything beginning > with 'www' and ending in '.com' is a Web site." > > If the system date on a computer is 25-29 of January 2002, Myparty > launches its installation and spreading routines. In addition to this, > the worm checks for the presence of Russian-language support and if this > is detected, the worm finishes its operation and exists a system. > > In order to maintain its presence in the memory, upon each > infected-computer start-up, the worm creates its copy in different disk > directories and registers them in the Windows system registry of the > program auto-start section. > > In order to send its copies via e-mail, the worm scans the Windows > Address Book and DBX (also used in Outlook Express) databases and checks > these with all found addresses. Following this, the worm installs a > direct connection with a remote SMTP server and imperceptibly, > supposedly in the name of the infected computer's user, sends its copies > to these addresses. In order to confirm an infection, the worm also > sends a blank e-mail to the [EMAIL PROTECTED] address. > > Myparty has some dangerous side effects. On computers with Windows > NT/2000/XP, the worm installs a spy program for remote unauthorized > control. In this way, a malefactor can gain total control over a > victim's computer. > > In addition to this, depending on a number of conditions, Myparty > opens the http://www.disney.com Web site in the current Internet browser > window. > > Defense procedures thwarting Myparty have already been added to the > Kaspersky Anti-Virus database. > > A more detailed description of this Internet worm can be found in > the Kaspersky Virus Encyclopedia > (http://www.viruslist.com/eng/viruslist.html?id=46966). > > > > ** > > 2. How to subscribe/unsubscribe > > If you would like to subscribe to other Kaspersky Lab news blocks or > to unsubscribe from this news block, you can do so by visiting > http://www.kaspersky.com/subscribenow.html > > If you experience any problems with this procedure, please contact us at: > [EMAIL PROTECTED] > > **** > > Best of Luck, > > Kaspersky Lab News Agent > > ----- > 10 Geroyev Panfilovtcev St., Moscow, 123363, Russia > Telephone./Facsimile: +7 (095) 948 43 31 > WWW: http://www.kaspersky.com, http://www.viruslist.com > FTP: ftp://ftp.kasperskylab.ru > E-mail: [EMAIL PROTECTED] > To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with unsubscribe SURVPC in the body of the message. Also, trim this footer from any quoted replies. More info can be found at; http://www.softcon.com/archives/SURVPC.html
