Virus News. Monday, January 28, 2002
******************************************************************
1. Not Everything Starting with 'www' and Ending in '.com' Is a Web Site
2. How to subscribe/unsubscribe
****
1. Not Everything Starting with 'www' and Ending in '.com' Is a Web Site
The Internet worm 'Myparty' poses as a Web-site link
Kaspersky Labs, an international data-security software developer,
announces the detection of a new Internet worm going by the name of
Myparty that spreads via e-mail. At this time, several incidents of
infection by this malicious code have already been reported.
The worm appears on a target computer as a file attached to an
e-mail message. The file is a Windows application about 30Kb in length,
it is written in Microsoft Visual C++, and is compressed in a UPX
utility.
An infected message appears as follows: Subject: new photos from my
party! Body: Hello! My party... It was absolutely amazing! I have
attached my web page with new photos! If you can please make color
prints of my photos. Thanks! Attachment: www.myparty.yahoo.com
As is apparent, the file carrier purposely poses as a Web-site
address. A user's trust is taken into account so that when
double-clicking on the enclosure, the said user ends up at some Internet
address. However, what actually occurs is that a malicious program is
activated upon enclosure opening.
"This is definitely a new technique for manipulating a user that is
uniquely employed by 'Myparty' to have already caused a series of
infections. The rest of the program is a classic Internet worm that is
not differentiated from hundreds of similarly created Internet worms,"
commented Denis Zenkin, Head of Corporate Communications for Kaspersky
Labs. "This occurrence once again confirms that not everything beginning
with 'www' and ending in '.com' is a Web site."
If the system date on a computer is 25-29 of January 2002, Myparty
launches its installation and spreading routines. In addition to this,
the worm checks for the presence of Russian-language support and if this
is detected, the worm finishes its operation and exists a system.
In order to maintain its presence in the memory, upon each
infected-computer start-up, the worm creates its copy in different disk
directories and registers them in the Windows system registry of the
program auto-start section.
In order to send its copies via e-mail, the worm scans the Windows
Address Book and DBX (also used in Outlook Express) databases and checks
these with all found addresses. Following this, the worm installs a
direct connection with a remote SMTP server and imperceptibly,
supposedly in the name of the infected computer's user, sends its copies
to these addresses. In order to confirm an infection, the worm also
sends a blank e-mail to the napster@gala.net address.
Myparty has some dangerous side effects. On computers with Windows
NT/2000/XP, the worm installs a spy program for remote unauthorized
control. In this way, a malefactor can gain total control over a
victim's computer.
In addition to this, depending on a number of conditions, Myparty
opens the http://www.disney.com Web site in the current Internet browser
window.
Defense procedures thwarting Myparty have already been added to the
Kaspersky Anti-Virus database.
A more detailed description of this Internet worm can be found in
the Kaspersky Virus Encyclopedia
(http://www.viruslist.com/eng/viruslist.html?id=46966).
**
2. How to subscribe/unsubscribe
If you would like to subscribe to other Kaspersky Lab news blocks or
to unsubscribe from this news block, you can do so by visiting
http://www.kaspersky.com/subscribenow.html
If you experience any problems with this procedure, please contact us at:
news@kaspersky.com
****
Best of Luck,
Kaspersky Lab News Agent
-----
10 Geroyev Panfilovtcev St., Moscow, 123363, Russia
Telephone./Facsimile: +7 (095) 948 43 31
WWW: http://www.kaspersky.com, http://www.viruslist.com
FTP: ftp://ftp.kasperskylab.ru
E-mail: info@avp.ru
---------------
1km = 1024m