F-Secure Virus Descriptions : Mylife
|
|
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
|
Mylife is a simple mass-mailer written in Visual Basic and packed
with UPX file compressor.
This version was first discovered on 7th of March 2002.
This worm usually arrives as an e-mail attachment named 'My
Life.scr'. When a user clicks on the attachment the worm is
activated. It shows a picture, installs itself to system (into
Windows System folder) as My Life.scr and adds its startup key to
the Registry. Here's the picture that the worm shows:
The worm sends itself to all recepients of an infected user's
Outlook Address Book with the following message:
From: name-of-infected-user
To: random-name-from-address-book
Subject: my life ohhhhhhhhhhhhh
Hiiiii
How are youuuuuuuu?
look to the digital picture it's my love
vvery verrrry ffffunny :-)
my life = my car
my car = my house
Attachment: My Life.scr
The worm has a payload - it can delete files with the following
extensions:
*.sys, *.com (from C:\ folder)
*.com, *.sys, *.ini, *.exe (from Windows folder)
*.sys, *.vxd, *.exe, *.dll (from Windows System folder)
The payload has a trigger - it checks if some variable is equal
or bigger that 45 and activates if it is.
This worm variant was found on 22nd of March 2002. It quickly
spread to many areas in Asia and Australia.
The worm is a PE executable file written in Visual Basic and
compressed with UPX file compressor.
The worm spreads via Outlook, sending itself to every address
found from the address book. The worm also gets e-mail addresses
from user's MSN Messenger database.
Messages sent by Mylife.B look like this:
From: name-of-infected-user
To: random-name-from-address-book
Subject: bill caricature
Body:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry
ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
MCAFEE.COM
----------------------------
Attachment: CARI.SCR
Do note the poor attempt to make the e-mail look like it has been
scanned by a gateway virus scanner on announced clean.
After user clicks on the attachment CARI.SCR, he will see this
image on-screen:
After first activation the worm copies itself to Windows System
directory as CARI.SCR and adds a startup key for its file to the
Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"win" = "%SysDir%\cari.scr"
Where %SysDir% is Windows System folder.
The worm has a payload. After spreading the worm can delete files
with the following extensions:
*.sys (Windows directory)
*.vxd, *.sys, *.ocx, *.nls (Windows System directory)
The worm also can delete all files from the following locations:
c:\*.* (root directory of c:\ drive)
d:\*.* (root directory of d:\ drive)
e:\*.* (root directory of e:\ drive)
f:\*.* (root directory of f:\ drive)
The payload is time-triggered and only works if hour value is
equal to 8 and if the worm's file CARI.SCR is already present
in Windows System directory.
The payload usually renders an infected system inoperable.
Mylife.F worm was found in the wild on April 2nd, 2002. Largest
infections currently in Australia and UK.
This variant is spreading in messages which look like this:
From: name-of-infected-user
Subject: the list
Body:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
========No Viruse Found========
MCAFEE.COM
--------------------------------
Attachment: List480.TXT.scr
F-Secure Anti-Virus detects Mylife.F worm with the heuristics.
Exact detection in F-Secure Anti-Virus was published on April 2nd, 2002:
[FSAV_Database_Version]
Version=2002-04-02_02
NOTE:
Mylife.M variant is not currently widespread enough to be
ranked as an alert under
F-Secure Radar alerting system.
This variant of the worm appeared in the beginning of July 2003.
The worm's file is a PE EXE file 8192 byte long compressed with
UPX file compressor.
When the worm's file is run, it creates an empty file with the
name 'MyLife.mpg' in the root of C: drive and tries to open it
with Windows Media Player. Then the worm it copies itself to
Windows System folder with the following names:
Julia_Roberts_F*cking_toilet.Mpeg_.scr
Shakira_1997_part_1_.Mpeg_.scr
Then it creates a startup key for one of its files in System
Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32" = "%winsysdir%\Shakira_1997_part_1_.Mpeg_.scr"
The worm spreads itself in 2 different e-mail messages:
Subject:
Fw: Julia Roberts
Body:
Hi
How are you?
Lexy and Mystique, a couple of 18 yr old bi gothic chicks, came
over and had some fun in our shower. This scene looks even
better on video, check em out at gotgiclex.com
========No virus detected========
MCAFEE.COM"
Attachment:
Julia_Roberts_F*cking_toilet.Mpeg_.scr
OR
Subject
Old Shakira
Body:
Hi
i saw this good ASS,, i sleep 3 hours ;-)
check Shakira ass soory Shakira movi :)
========No virus detected========
MCAFEE.COM"
Attachment:
Shakira_1997_part_1_.Mpeg_.scr
The worm has a dangerous payload. It can delete all files and
folders from D:, E: and F: drives. Also it can delete all files
from Windows System folder and *.SYS files from Windows folder.
Detection of Mylife.M worm in F-Secure Anti-Virus was published
on July 7th, 2003:
[FSAV_Database_Version]
Version=2003-07-07_02
[Analysis: A. Podrezov, K. Tocheva, M. Hypponen, G. Erdelyi; F-Secure Corp.; March 7-22, 2002; July 7th, 2003]
|
