Virus News. Monday, January 28, 2002 ****************************************************************** 1. Not Everything Starting with 'www' and Ending in '.com' Is a Web Site 2. How to subscribe/unsubscribe **** 1. Not Everything Starting with 'www' and Ending in '.com' Is a Web Site The Internet worm 'Myparty' poses as a Web-site link Kaspersky Labs, an international data-security software developer, announces the detection of a new Internet worm going by the name of Myparty that spreads via e-mail. At this time, several incidents of infection by this malicious code have already been reported. The worm appears on a target computer as a file attached to an e-mail message. The file is a Windows application about 30Kb in length, it is written in Microsoft Visual C++, and is compressed in a UPX utility. An infected message appears as follows: Subject: new photos from my party! Body: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! Attachment: www.myparty.yahoo.com As is apparent, the file carrier purposely poses as a Web-site address. A user's trust is taken into account so that when double-clicking on the enclosure, the said user ends up at some Internet address. However, what actually occurs is that a malicious program is activated upon enclosure opening. "This is definitely a new technique for manipulating a user that is uniquely employed by 'Myparty' to have already caused a series of infections. The rest of the program is a classic Internet worm that is not differentiated from hundreds of similarly created Internet worms," commented Denis Zenkin, Head of Corporate Communications for Kaspersky Labs. "This occurrence once again confirms that not everything beginning with 'www' and ending in '.com' is a Web site." If the system date on a computer is 25-29 of January 2002, Myparty launches its installation and spreading routines. In addition to this, the worm checks for the presence of Russian-language support and if this is detected, the worm finishes its operation and exists a system. In order to maintain its presence in the memory, upon each infected-computer start-up, the worm creates its copy in different disk directories and registers them in the Windows system registry of the program auto-start section. In order to send its copies via e-mail, the worm scans the Windows Address Book and DBX (also used in Outlook Express) databases and checks these with all found addresses. Following this, the worm installs a direct connection with a remote SMTP server and imperceptibly, supposedly in the name of the infected computer's user, sends its copies to these addresses. In order to confirm an infection, the worm also sends a blank e-mail to the [EMAIL PROTECTED] address. Myparty has some dangerous side effects. On computers with Windows NT/2000/XP, the worm installs a spy program for remote unauthorized control. In this way, a malefactor can gain total control over a victim's computer. In addition to this, depending on a number of conditions, Myparty opens the http://www.disney.com Web site in the current Internet browser window. Defense procedures thwarting Myparty have already been added to the Kaspersky Anti-Virus database. A more detailed description of this Internet worm can be found in the Kaspersky Virus Encyclopedia (http://www.viruslist.com/eng/viruslist.html?id=46966). ** 2. How to subscribe/unsubscribe If you would like to subscribe to other Kaspersky Lab news blocks or to unsubscribe from this news block, you can do so by visiting http://www.kaspersky.com/subscribenow.html If you experience any problems with this procedure, please contact us at: [EMAIL PROTECTED] **** Best of Luck, Kaspersky Lab News Agent ----- 10 Geroyev Panfilovtcev St., Moscow, 123363, Russia Telephone./Facsimile: +7 (095) 948 43 31 WWW: http://www.kaspersky.com, http://www.viruslist.com FTP: ftp://ftp.kasperskylab.ru E-mail: [EMAIL PROTECTED] |