W32/Myparty Malicious Code
Release Date: January 28, 2002
A complete revision history can be found at the end of this file.
Systems Affected
Overview
"W32/Myparty" is malicious code written for the Windows platform that spreads as an email file attachment. The malicious code makes use of social engineering to entice a user to execute it. The W32/Myparty payload is non-destructive.
As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received
reports of W32/Myparty from several dozen individual sites.
BODY:
My party... It was absolutely amazing!
ATTACHMENT: www.myparty.yahoo.com
I. Description
Analysis of the W32/Myparty malicious code indicates that it is a
Windows binary spreading via an email message with the following
characteristics:
SUBJECT: new photos from my party!
Hello!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
The attached file name containing the malicious code, www.myparty.yahoo.com, was carefully chosen to entice the email recipient to open and (in most email clients) run the attachment. This social engineering exploits the fact that .com is both an executable file extension in Windows and a top-level domain (TLD).
We have seen two variants of www.myparty.yahoo.com as follows:
Filename = www.myparty.yahoo.com
MD5 checksum = 43fc3f274372f548b7e6c14af45e0746
File size = 30172
Filename = www.myparty.yahoo.com
MD5 checksum = 221c47432e70b049fce07a6ca85ca7dd
File size = 29701
Both files take the same actions when executed:
- the file msstask.exe is created in the current
user's profile Startup
folder (\Start
Menu\Programs\Startup) and is immediately executed. It will
also be executed every time the Windows user logs into the system.
Filename = msstask.exe
MD5 checksum = cda312b5364bbaddcd2c2bf3ceb4e6cd
File size = 6144 - on Windows 9x computers, a copy of www.myparty.yahoo.com is written to C:\Recycled\REGCTRL.EXE. On
Windows NT computers, this copy is placed in either C:\REGCTRL.EXE or a newly
created random directory in the C:\Recycled folder. This copy is subsequently
executed.
- an email message is sent to a predefined address with a subject
line of the folder where the W32/Myparty malicious code was
stored on the victim machine. When sending this message,
W32/Myparty will use the SMTP statement HELO HOST when identifying itself to the SMTP
server.
- the current user's default SMTP server is retrieved from the
following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001
- the hard drive is scanned for Windows Address Book (.WAB)
files and Outlook Express inboxes and folders (.DBX) in order to
harvest email addresses.
- copies of the malicious code are emailed to all the email addresses it could find.
Other outside analysis also indicates that the default web browser may be launched to a particular URL under certain circumstances.
II. Impact
W32/Myparty may cause the default web browser to run unexpectedly. Likewise, the victim and targeted sites may experience an increased load on the mail server when the malicious code is propagating.III. Solution
Run and maintain an anti-virus product
It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and recover from W32/Myparty. A list of vendor-specific anti-virus information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.
Exercise caution when opening attachments
Exercise caution when receiving email with attachments. Users should be suspicious of unexpected attachments regardless of their origin. In general, users should also always scan files received through email with an anti-virus product.
The following section of the "Home Network Security" document provides advice on handling email attachments securely:
http://www.cert.org/tech_tips/home_networks.html#IV-A-4
Filter the email or use a firewall
Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments.
Appendix A. - Vendor Information
Aladdin Knowledge Systems
Central Command, Inc.
Command Software Systems
Computer Associates
F-Secure Corp
Frisk Software International
McAfee
Norman Data Defense Systems
Panda Software
- http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet?
operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirusFicha=W32/Myparty@MM
Proland Software
Sophos
Symantec
Trend Micro
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:
http://www.cert.org/other_sources/viruses.html
Authors: Roman Danyliw, Allen Householder
Copyright 2002 Carnegie Mellon University.
Revision History
Jan 28, 2002: Initial release Jan 29, 2002: Modified feedback link Feb 28, 2002: Added vendor link for Frisk Software International