Rocky, et al:
Here's a write up that describes just how insidious this
particular worm is.
Matt Murray
mattm@optonline.net
New worm spoils the party
By Wendy McAuliffe
ZDNet (UK)
January 28, 2002, 5:25 AM PT
URL: http://zdnet.com.com/2100-1105-823933.html
The first e-mail worm to use the .com extension has been spotted
in the
wild over the weekend. Antivirus experts are currently rating the
MyParty
virus as a medium risk.
Initial reports of the mass-mailing worm were received on Sunday
evening,
and the rate of infection steadily increased overnight and on
Monday
morning. The e-mail arrives with the subject line, "new photos
from my
party," and purports to contain the URL to a Web page containing
pictures
of a friend's party. But what appears to be the URL
www.myparty.yahoo.com is
in fact an executable attachment capable of infecting a local
machine with
a copy of the virus. The real www.myparty.yahoo.com URL points to
a
non-existent page.
MyParty is the latest in a line of 'socially engineered' viruses
that rely
on the user to click on an attachment to spread the virus.
"People have
tended to go for the easy .exe attachment, as it still manages to
lure
people into double clicking," said David Emm, product marketing
manager for
McAfee AVERT. "But in the last six months, attachments have been
replaced
with URLs that link to an infected Web site."
When clicked on, the worm copies itself to the
C:Recycledregctrl.exe and
executes that file. It then uses the victim's default SMTP mail
server to
send itself out to all addresses found in the Windows Address
Book and
addresses found within .DBX files. DBX files are where Windows
archives
e-mails from Outlook.
According to Emm, both corporate and home PC users will be
equally affected
by the "myparty" worm.
"People can't resist something like this. The e-mails are close
enough to
everyday life and legitimate emails to put people off-guard. Nine
out of 10
e-mails like this will be bona fide."
Sophos has devised a patch at
http://www.sophos.com/downloads/ide/.
----- Original Message -----
From: "Rocky Entriken" <rocky@tri.net>
Sent: Tuesday, January 29, 2002 4:30 PM
Subject: "Party" is no fun
> There's a new worm crawling about. I just got five copies of it
within three
> minutes' time.
>
> Subject line is "New photos from my party" and the text asks
you to look at
> them and make prints if you can. Yeah, right!
>
> Info is at Symantec, where at the moment it is the top item on
the "security
> response" page. Specific info is at
> http://www.symantec.com/avcenter/venc/data/w32.myparty@mm.html
>
> --Rocky Entriken
/// unsubscribe/change address requests to majordomo@autox.team.net or try
/// http://www.team.net/mailman/listinfo
/// Partial archives at http://www.team.net/archive
|