F-Secure received several reports of W32/Myparty worm from the field at January 28th, 2002. First samples arrived from Singapore and then more various other Asian countries, but soon samples were coming in from all around Europe and USA too.
This worm spreads in a message with the following content:
Subject: new photos from my party!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Please note that the attachment may look like a link to a web site in some email clients.
The worm is a PE EXE file about 30kb long, compressed with a modified UPX file compressor. The origin of the worm is most likely Russia. The worm behaves a bit differently on NT and 9x-based systems. On non-Russian NT-based systems the worm drops a backdoor that is controlled by a script on a remote website.
When the worm's file is activated, it first checks system date. If the year is 2002, months is January and date is earlier than 25th, the worm tries to copy itself to \Recycled or \Recycler folder and terminates its process. If the date is between 25th and 29th, the worm does not perform this operation and continues working.
The worm then checks keyboard layouts and if one of the layouts is equal to 0419 (Russian), the worm copies itself to Recycled Bin and terminates its process. Systems with Russian keyboard layouts are therefore not affected.
On non-Russian NT-based systems,the worm drops a backdoor to the current user's profile startup folder (\Start Menu\Programs\Startup) as MSSTASK.EXE. This file will be activated on next Windows startup and also after the worm sends itself out. The dropped file is a backdoor that is controlled by a CGI script a website with address '18.104.22.168'.
The worm checks the name of file from which it was started. If the operating system is Windows 9x, the worm copies itself to the Recycled Bin as REGCTRL.EXE; alternatively, if the operating system is NT-based, the worm copies itself to root of C: drive as REGCTRL.EXE.
If the worm is started from a *.COM file, it only copies its file as REGCTRL.EXE to either \Recycled or root folder of C:\ drive, activates this file and moves the original file that it was started from to Recycled Bin. This does not happen on Windows 9x systems.
After that, the worm opens a default web browser on 'www.disney.com' page and starts the REGCTRL.EXE file from the location it was copied to earlier.
If the worm is started from EXE file, it gets user's SMTP server address and e-mail address from the Registry. Also the worm locates Windows Address Book (WAB) and gets e-mail addresses from there. After that worm browses *.DBX files (Outlook e-mail databases) for e-mail addresses. Finally the worm sends itself to all found e-mail addresses. The worm also sends a message firstname.lastname@example.org' e-mail address.
After mass-mailing the worm moves its file to Recycled Bin and activates a backdoor (if it was previously dropped to Startup folder of current user's profile).
Here's what the message and attachment looks like under Outlook Express:
Here's what the message and attachment looks like under Outlook 2000:
Here's what the message and attachment looks like under Outlook XP:
Here's what the message and attachment looks like under Netscape 4.61:
Here's what the message and attachment looks like under Netscape 6.21:
Here's what the message and attachment looks like under Eudora 5:
Detection of the worm has been added to F-Secure Anti-Virus in the update shipped on January 28, 2002 / 11:30:44 (GMT+2).