Date: Fri, 29 Mar 2024 08:56:08 -0400 (EDT) Message-ID: <769251152.33.1711716968386@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_32_1961106700.1711716968383" ------=_Part_32_1961106700.1711716968383 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
"W32/Myparty" is malicious code written for the Windows platform that sp= reads as an email file attachment. The malicious code makes use of social e= ngineering to entice a user to execute it. The W32/Myparty payload is non-d= estructive.
As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received rep= orts of W32/Myparty from several dozen individual sites.
SUBJECT: new photos from my = party!BODY:
Hello!My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!ATT= ACHMENT: www.myparty.yahoo.com
The attached file name containing the malicious code, www.myparty.yahoo.com, was careful= ly chosen to entice the email recipient to open and (in most email clients)= run the attachment. This social engineering exploits the fact that .com is both an executable file exte= nsion in Windows and a top-level domain (TLD).
We have seen two varia= nts of www.myparty.yahoo.com = as follows:
Filename =3D www.m=
yparty.yahoo.com
MD5 checksum =3D 43fc3f274372f548b7=
e6c14af45e0746
File size =3D 30172
Fi=
lename =3D www.myparty.yahoo.com
MD5 checksum =3D 221c47432e70b049fc=
e07a6ca85ca7dd
File size =3D 29701
Bo= th files take the same actions when executed:
Filename =3D msstask.exe
MD5 checksum =3D cda312b5364bbaddcd=
2c2bf3ceb4e6cd
File size =3D 6144
HKEY_CURRENT_USER\= Software\Microsoft\Internet Account Manager\Accounts\00000001
Other outside analysis also indicates that the default web browser may b= e launched to a particular URL under certain circumstances.
It is important for users to update their anti-virus software. Most anti= -virus software vendors have released updated information, tools, or virus = databases to help detect and recover from W32/Myparty. A list of vendor-spe= cific anti-virus information can be found in Appendix = A.
Many anti-virus packages support automatic updates of virus definitions.= We recommend using these automatic updates when available.
Exercise caution when receiving email with attachments. Users should be = suspicious of unexpected attachments regardless of their origin. In general= , users should also always scan files received through email with an anti-v= irus product.
The following section of the "Home Network Security" document provides a= dvice on handling email attachments securely:
http:/= /www.cert.org/tech_tips/home_networks.html#IV-A-4
Sites can use email filtering techniques to delete messages containing s= ubject lines known to contain the malicious code, or they can filter all at= tachments.
You may wish to visit the CERT/CC's Computer Virus Resources Page locate= d at:
htt= p://www.cert.org/other_sources/viruses.html
Copyright 2002 Carnegie Mellon University.
Revision History
Jan 28, 2002: Initial release Jan 29, 2002: Modified feedback link Feb 28, 2002: Added vendor link for Frisk Software International