Mylife
Summary
Mylife is a simple mass-mailer written in Visual Basic and packed with UPX file compressor.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:Mylife.A
This version was first discovered on 7th of March 2002.
This worm usually arrives as an email attachment named 'My Life.scr'. When a user clicks on the attachment the worm is activated. It shows a picture, installs itself to system (into Windows System folder) as My Life.scr and adds its startup key to the Registry. Here's the picture that the worm shows:
The worm sends itself to all recepients of an infected user's Outlook Address Book with the following message:
From: name-of-infected-user To: random-name-from-address-book Subject: my life ohhhhhhhhhhhhh Hiiiii How are youuuuuuuu? look to the digital picture it's my love vvery verrrry ffffunny :-) my life = my car my car = my houseAttachment: My Life.scr
The worm has a payload - it can delete files with the following extensions:
*.sys, *.com (from C:\ folder) *.com, *.sys, *.ini, *.exe (from Windows folder) *.sys, *.vxd, *.exe, *.dll (from Windows System folder)
The payload has a trigger - it checks if some variable is equal or bigger that 45 and activates if it is.
Variant:Mylife.B (Caric, Cari)
This worm variant was found on 22nd of March 2002. It quickly spread to many areas in Asia and Australia.
The worm is a PE executable file written in Visual Basic and compressed with UPX file compressor.
The worm spreads via Outlook, sending itself to every address found from the address book. The worm also gets email addresses from user's MSN Messenger database.
Messages sent by Mylife.B look like this:
From: name-of-infected-user To: random-name-from-address-book Subject: bill caricature Body: Hiiiii How are youuuuuuuu? look to bill caricature it's vvvery verrrry ffffunny :-) :-) i promise you will love it? ok buy ========No Viruse Found======== MCAFEE.COM ---------------------------- Attachment: CARI.SCR
Do note the poor attempt to make the email look like it has been scanned by a gateway virus scanner on announced clean.
After user clicks on the attachment CARI.SCR, he will see this image on-screen:
After first activation the worm copies itself to Windows System directory as CARI.SCR and adds a startup key for its file to the Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "win" = "%SysDir%\cari.scr"
Where %SysDir% is Windows System folder.
The worm has a payload. After spreading the worm can delete files with the following extensions:
*.sys (Windows directory) *.vxd, *.sys, *.ocx, *.nls (Windows System directory)
The worm also can delete all files from the following locations:
c:\*.* (root directory of c:\ drive) d:\*.* (root directory of d:\ drive) e:\*.* (root directory of e:\ drive) f:\*.* (root directory of f:\ drive)
The payload is time-triggered and only works if hour value is equal to 8 and if the worm's file CARI.SCR is already present in Windows System directory.
The payload usually renders an infected system inoperable.
Variant:Mylife.F
Mylife.F worm was found in the wild on April 2nd, 2002. Largest infections currently in Australia and UK.
This variant is spreading in messages which look like this:
From: name-of-infected-user Subject: the list Body: Hiiiii How are youuuuuuuu? look to the notepad it's vvvery verrrry ffffunny :-) :-) i promise you will love it :-) Notepad = list list = 37 buyyyy ========No Viruse Found======== MCAFEE.COM -------------------------------- Attachment: List480.TXT.scr
Variant:Mylife.M (I-Worm.Mylife.M, W32/Mylife.m@MM)
NOTE:Mylife.M variant is not currently widespread enough to be ranked as an alert under F-Secure Radar alerting system.
This variant of the worm appeared in the beginning of July 2003. The worm's file is a PE EXE file 8192 byte long compressed with UPX file compressor.
When the worm's file is run, it creates an empty file with the name 'MyLife.mpg' in the root of C: drive and tries to open it with Windows Media Player. Then the worm it copies itself to Windows System folder with the following names:
Julia_Roberts_F*cking_toilet.Mpeg_.scr Shakira_1997_part_1_.Mpeg_.scr
Then it creates a startup key for one of its files in System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Win32" = "%winsysdir%\Shakira_1997_part_1_.Mpeg_.scr"
The worm spreads itself in 2 different email messages:
Subject: Fw: Julia Roberts Body: Hi How are you? Lexy and Mystique, a couple of 18 yr old bi gothic chicks, came over and had some fun in our shower. This scene looks even better on video, check em out at gotgiclex.com ========No virus detected======== MCAFEE.COM" Attachment:Julia_Roberts_F*cking_toilet.Mpeg_.scr
OR
Subject: Old Shakira Body: Hi i saw this good ASS,, i sleep 3 hours ;-) check Shakira ass soory Shakira movi :) ========No virus detected======== MCAFEE.COM" Attachment: Shakira_1997_part_1_.Mpeg_.scr
The worm has a dangerous payload. It can delete all files and folders from D:, E: and F: drives. Also it can delete all files from Windows System folder and *.SYS files from Windows folder.