SAFE COMPUTING: W32.MyLife.B@mm..DESTRUCTIVE PAYLOAD
Senior Staff
Discovered on: March 21, 2002 Last Updated on: March 22, 2002 at 12:40:53 PM PST
http://securityresponse.symantec.com/avcenter/venc/data/w32.my...@mm.html
Due to increased submissions, Symantec Security Response has upgraded W32.MyLife.B@mm to a Category 3.
W32.MyLife.B@mm is a mass-mailing worm that uses Microsoft Outlook to spread to all addresses in the Outlook address book. It copies itself to C:\Windows \System\Cari.scr and may delete files, depending on the system time.
NOTE: Definitions dated prior to March 22, 2002 will detect this as W32.Caric@mm.
Also Known As: W32.Caric@mm Type: Worm Infection Length: 11,524 bytes
Virus Definitions (Intelligent Updater): March 21, 2002 Virus Definitions (LiveUpdateTM): March 21, 2002
Threat Assessment:
Wild: Medium Damage: Medium Distribution: High
Wild:
Number of infections: 50 - 999 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Easy Removal: Easy
Damage:
Payload Trigger: If the worm is run when the system time is between 8:00 A.M. and 9:00 A.M. Payload: Large scale e-mailing: Send itself to all addresses in the Microsoft Outlook address book Deletes files: Attempts to delete the files on C:\*.*, *.sys, *.vxd, *.ocx, *.nls, d:\*.*, e:\*.*, f:\*.*
Distribution:
Subject of email: bill caricature Name of attachment: Cari.scr Size of attachment: 11,524 Bytes
Technical description:
If W32.MyLife.B@mm is executed, it does the following:
It uses Microsoft Outlook to spread to all addresses in the Outlook address book. The email message will have the following characteristics:
Subject: "bill caricature"
Message: Hiiiii How are youuuuuuuu? look to bill caricature it's vvvery verrrry ffffunny :-) :-) i promise you will love it? ok buy
========No Viruse Found======== MCAFEE.COM --------------------------------------------------------
Attachment: Cari.scr
It copies itself to C:\Windows \System\Cari.scr.
It displays the following graphic:
Payload: The payload of this worm will activate if the worm is run when the system time is between 8:00 A.M. and 9:00 A.M.
The worm attempts to set itself to run with Windows by adding the value:
win c:\windows\system\cari.scr
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
It also attempts to delete the following files:
C:\*.* *.sys *.vxd *.ocx *.nls d:\*.* e:\*.* f:\*.*
Removal instructions:
Delete all files detected as W32.MyLife.B@mm or W32.Caric@mm and remove the value that it added to the registry.
NOTE: If the payload has activated and was successful, you may need to restore the deleted files from a clean backup.
1. Obtain the most recent virus definitions. There are two ways to do this: Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up. Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 3. Run a full system scan. 4. Delete all files that are detected as W32.MyLife.B@mm or W32.Caric@mm.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following value:
win c:\windows\system\cari.scr
5. Click Registry, and click Exit.