Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


MyBabyPic


Aliases:


MyBabyPic
IWorm_Myba, I-Worm.Myba

Malware
Worm
W32

Summary

Myba is the Internet worm spreading with emails by sending infected messages from affected computers. While spreading the worm uses MS Outlook and sends itself to all addresses that are stored in MS Outlook Address Book.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm itself is Win32 application written in VisualBasic. The worm code seems to be based on I-Worm.LoveLetter VBS worm (the worm routines and their names look very similar to "Loveletter" ones), and its seems that this worm was created by adapting "Loveletter" VBS source to VisualBasic language.

When run (if a user clicks on attached infected file) the worm sends its copies by email, installs itself into the system and performs destructive actions.

The worm sends itself as email messages with attached EXE file, that is the worm itself. The message has:

The Subject:          My baby pic !!!
 Message body:         Its my animated baby picture !!
 Attached file name:   mybabypic.exe
 
 

Being activated by a user (by double click on attached file) the worm opens MS Outlook, gets access to the Address Book, gets all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.

The worm also installs itself into the system. It creates its copies in Windows system directory with the names:

 WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, COMMAND.EXE

and registered in Windows auto-run section in system registry:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic   = %WinSystem%\mybabypic.exe
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
 HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices     = %WinSystem%\Win32DLL.exe
 
 

where %WinSystem% is Windows system directory. As a result the worm is re-activated each time Windows boots up. The worm also creates the registry key:

 HKCU\Software\Bugger
  Default = HACK[2K]
  mailed  = %number%
  
  

where %number% is a number from 0 to 3 and depends on the process the worm is currently performing or done: installing, spreading, activating its payload routine.

The payload routine is quite a large. Depending on the system date and time the worm:

- switches on/off NumLock, CapLock and ScrollLock keys
- sends to keyboard buffer the message: 
   .IM_BESIDES_YOU_
- connects the www.youvebeenhack.com site and sends one of texts
there: 
   FROM BUGGER
   HAPPY VALENTINES DAY FROM BUGGER
   HAPPY HALLOWEEN FROM BUGGER

The worm also corrupts and/or affects other files. It scans subdirectory trees on all available drives, lists all files there and depending on filename extension performs actions:

VBS, VBE: the worm destroys these files contents.

JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm creates a new file with original filename plus ".EXE" extension and copies its body to there, and then deletes original file, i.e. the worm overwrites these files with its code and renames them with EXE extension. For example, "TEST.CPP" becowes "TEST.EXE".

JPG, JPEG: the worm does the same as above, but adds ".EXE" extension to full file name (does not rename to ".EXE"). For example, "PIC1.JPG" becomes "PIC1.JPG.EXE".

MP2, MP3, M3U: the worm creates a new file with ".EXE" extension (for "SONG.MP2" the worm creates the "SONG.MP2.EXE" file), writes its code to there and sets the file attribute "hidden" for the original file.





Technical Details: Eugene Kaspersky, KL; February 2001



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.