The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>W32/Myparty Malicious Code</h2>
Release Date: January 28, 2002<p>
<p>A complete revision history can be found at the end of this file.
<a name="affected"></a>
<h3>Systems Affected</h3>
<li>Systems running Microsoft Windows</li>
<a name="overview"></a>
<h2>Overview</h2>
<p>"W32/Myparty" is malicious code written for the Windows platform
that spreads as an email file attachment. The malicious code makes
use of social engineering to entice a user to execute it. The
W32/Myparty payload is non-destructive.
<p>
As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received
reports of W32/Myparty from several dozen individual sites.
<a name="description">
<h2>I. Description</h2>
Analysis of the W32/Myparty malicious code indicates that it is a
Windows binary spreading via an email message with the following
characteristics:
<blockquote>
<font face="Courier New" size="-1">
<b>SUBJECT:</b> new photos from my party!<br/>
<p>
<b>BODY:</b><br/>
Hello!<br/>
<p>
My party... It was absolutely amazing!<br/>
I have attached my web page with new photos!<br/>
If you can please make color prints of my photos. Thanks!<br/>
<p>
<b>ATTACHMENT:</b> www.myparty.yahoo.com<br/>
<p>
</p></p></p></p></font>
</blockquote>
<p>
The attached file name containing the malicious code, <font face="Courier New" size="-1">www.myparty.yahoo.com</font>, was carefully
chosen to entice the email recipient to open and (in most email
clients) run the attachment. This social engineering exploits the
fact that <font face="Courier New" size="-1">.com</font> is both an
executable file extension in Windows and a top-level domain (TLD).
<p>
We have seen two variants of <font face="Courier New" size="-1">www.myparty.yahoo.com</font> as follows:
<p>
Filename = <font face="Courier New" size="-1">www.myparty.yahoo.com</font><br/>
MD5 checksum = <font face="Courier New" size="-1">43fc3f274372f548b7e6c14af45e0746</font><br/>
File size = <font face="Courier New" size="-1">30172</font>
<p>Filename = <font face="Courier New" size="-1">www.myparty.yahoo.com</font><br/>
MD5 checksum = <font face="Courier New" size="-1">221c47432e70b049fce07a6ca85ca7dd</font><br/>
File size = <font face="Courier New" size="-1">29701</font>
<p>Both files take the same actions when executed:
<ul>
<li>the file <font face="Courier New" size="-1">msstask.exe</font> is created in the current
user's profile <font face="Courier New" size="-1">Startup</font>
folder (<font face="Courier New" size="-1">\Start
Menu\Programs\Startup</font>) and is immediately executed. It will
also be executed every time the Windows user logs into the system.
<p>Filename = <font face="Courier New" size="-1">msstask.exe</font><br/>
MD5 checksum = <font face="Courier New" size="-1">cda312b5364bbaddcd2c2bf3ceb4e6cd</font><br/>
File size = <font face="Courier New" size="-1">6144</font>
<p>
<li>on Windows 9x computers, a copy of <font face="Courier New" size="-1">www.myparty.yahoo.com</font> is written to <font face="Courier New" size="-1">C:\Recycled\REGCTRL.EXE</font>. On
Windows NT computers, this copy is placed in either <font face="Courier New" size="-1">C:\REGCTRL.EXE</font> or a newly
created random directory in the <font face="Courier New" size="-1">C:\Recycled</font> folder. This copy is subsequently
executed.
<p>
<li>an email message is sent to a predefined address with a subject
line of the folder where the W32/Myparty malicious code was
stored on the victim machine. When sending this message,
W32/Myparty will use the SMTP statement <font face="Courier New" size="-1">HELO HOST</font> when identifying itself to the SMTP
server.
<p>
<li>the current user's default SMTP server is retrieved from the
following registry key:
<p>
<font face="Courier New" size="-1">
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001
</font>
<p>
<li>the hard drive is scanned for Windows Address Book (.WAB)
files and Outlook Express inboxes and folders (.DBX) in order to
harvest email addresses.
<p>
<li>copies of the malicious code are emailed to all the email
addresses it could find.
</li></p></li></p></p></li></p></li></p></li></p></p></li></ul>
Outside analysis indicates that this final step of mass mailing may be time-dependant. The code may only
send itself if the clock on the victim machine is set to January 25-29. It is the experience of the CERT/CC
that variants of malicious code often occur, so this time-trigger may not apply.
<p>
Other outside analysis also indicates that the default web browser may be launched to a particular
URL under certain circumstances.
<h2>II. Impact</h2>
W32/Myparty may cause the default web browser to run unexpectedly. Likewise, the victim
and targeted sites may experience an increased load on the mail server when the
malicious code is propagating.
<a name="solution"></a>
<h2>III. Solution</h2>
<h4>Run and maintain an anti-virus product</h4>
<p>It is important for users to update their anti-virus software.
Most anti-virus software vendors have released updated information,
tools, or virus databases to help detect and recover from
W32/Myparty. A
list of vendor-specific anti-virus information can be found in <a href="#vendors">Appendix A</a>.
<p>
Many anti-virus packages support automatic updates of virus definitions.
We recommend using these automatic updates when available.
<h4>Exercise caution when opening attachments</h4>
<p>Exercise caution when receiving email with attachments.
Users should be suspicious of unexpected attachments regardless of their origin.
In general, users should also always scan files received through email with an anti-virus product.
<p>
The following section of the "Home Network Security" document provides advice on handling email
attachments securely:
<blockquote>
<a href="http://www.cert.org/tech_tips/home_networks.html#IV-A-4">
http://www.cert.org/tech_tips/home_networks.html#IV-A-4</a>
</blockquote>
<h4>Filter the email or use a firewall</h4>
<p>Sites can use email filtering techniques to delete messages
containing subject lines known to contain the malicious code, or they can filter
all attachments.
<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>
<h3>Aladdin Knowledge Systems</h3>
<dl>
<dd><a href="http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10102">http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10102</a>
</dd></dl>
<h3>Central Command, Inc.</h3>
<dl>
<dd><a href="http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=020128-000003">http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/</a><br/><a href="http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=020128-000003">std_adp.php?p_refno=020128-000003</a>
</dd></dl>
<h3>Command Software Systems</h3>
<dl>
<dd><a href="http://www.commandsoftware.com/virus/myparty.html">http://www.commandsoftware.com/virus/myparty.html</a>
</dd></dl>
<h3>Computer Associates</h3>
<dl>
<dd><a href="http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1323">http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1323</a>
</dd></dl>
<h3>F-Secure Corp</h3>
<dl>
<dd><a href="http://www.datafellows.com/v-descs/myparty.shtml">http://www.datafellows.com/v-descs/myparty.shtml</a>
</dd></dl>
<h3>Frisk Software International</h3>
<dl>
<dd><a <a="" href="http://www.f-prot.com/f-prot/virusinfo/mypartya.html">http://www.f-prot.com/f-prot/virusinfo/mypartya.html</a>
</dd></dl>
<h3>McAfee</h3>
<dl>
<dd><a href="http://vil.mcafee.com/dispVirus.asp?virus_k=99332&">http://vil.mcafee.com/dispVirus.asp?virus_k=99332&</a>
</dd></dl>
<h3>Norman Data Defense Systems</h3>
<dl>
<dd><a href="http://www.norman.com/virus_info/w32_myparty_a_mm.shtml">http://www.norman.com/virus_info/w32_myparty_a_mm.shtml</a>
</dd></dl>
<h3>Panda Software</h3>
<dl>
<dd><a href="http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet?operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirusFicha=W32/Myparty@MM">http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet?</a><br/>
<a href="http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet?operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirusFicha=W32/Myparty@MM">operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirusFicha=W32/Myparty@MM</a>
</dd></dl>
<h3>Proland Software</h3>
<dl>
<dd><a href="http://www.pspl.com/virus_info/worms/myparty.htm">http://www.pspl.com/virus_info/worms/myparty.htm</a>
</dd></dl>
<h3>Sophos</h3>
<dl>
<dd><a href="http://www.sophos.com/virusinfo/analyses/w32mypartya.html">http://www.sophos.com/virusinfo/analyses/w32mypartya.html</a>
</dd></dl>
<h3>Symantec</h3>
<dl>
<dd><a href="http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.myparty@mm.html">http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.myparty@mm.html</a>
</dd></dl>
<h3>Trend Micro</h3>
<dl>
<dd><a href="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYPARTY.A">http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYPARTY.A</a>
</dd></dl>
<p>
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:
<a href="http://www.cert.org/other_sources/viruses.html">
<p>
<blockquote>
http://www.cert.org/other_sources/viruses.html</blockquote></p></a>
<p>
<hr noshade=""/>
Authors: <a href="mailto:cert@cert.org?subject=IN-2002-01%20Feedback%20[CERT%2326792]">Roman Danyliw, Allen Householder</a>
<hr noshade="" width="100%"/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2002 Carnegie Mellon University.</p>
<p>Revision History
<pre>
Jan 28, 2002: Initial release
Jan 29, 2002: Modified feedback link
Feb 28, 2002: Added vendor link for Frisk Software International
</pre>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p></a></p></p></p></p> |