McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Myparty (AVP)

• MyParty (F-Secure)

• W32.Myparty@mm (NAV)

• W32/MyParty-A (Sophos)

• W32/Myparty@MM

• W32/Myparty@MM (Panda)

• Win32.MyParty (CA)

• Win32.MyParty.A (AVX)

• WORM_MYPARTY.A (Trend)

Characteristics

This mass-mailing worm drops a BackDoor trojan (BackDoor-FB.svr.gen) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:

Subject: new photos from my party!
Body: Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com (29,696 byte PE file)

The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL than the above Microsoft Outlook example which is more clearly distinguishable. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine.

On Windows9x/ME

• If the date is between January 25-29, 2002, the virus copies itself to C:\Recycled\regctrl.exe and executes that file.

On WinNT/2K/XP

• If the date is not between January 25-29, 2002, the worm copies itself to C:\Recycled as F-[random number]-[random number]-[random number] with no extension
• If the date is between January 25-29, 2002, the worm copies itself to C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website.

This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002. The users default SMTP server is retrieved from the registry.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.

Symptoms

Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from within Windows)

Presence of C:\REGCTRL.EXE

Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe

Method of Infection

Executing an infected attachment causes the worm to email itself to addresses found on the system.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Myparty.b@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Myparty (AVP)

• MyParty (F-Secure)

• W32.Myparty@mm (NAV)

• W32/MyParty-A (Sophos)

• W32/Myparty@MM

• W32/Myparty@MM (Panda)

• Win32.MyParty (CA)

• Win32.MyParty.A (AVX)

• WORM_MYPARTY.A (Trend)

Characteristics

Characteristics -

This mass-mailing worm drops a BackDoor trojan (BackDoor-FB.svr.gen) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:

Subject: new photos from my party!
Body: Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com (29,696 byte PE file)

The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL than the above Microsoft Outlook example which is more clearly distinguishable. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine.

On Windows9x/ME

• If the date is between January 25-29, 2002, the virus copies itself to C:\Recycled\regctrl.exe and executes that file.

On WinNT/2K/XP

• If the date is not between January 25-29, 2002, the worm copies itself to C:\Recycled as F-[random number]-[random number]-[random number] with no extension
• If the date is between January 25-29, 2002, the worm copies itself to C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website.

This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002. The users default SMTP server is retrieved from the registry.

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.

Symptoms

Symptoms -

Presence of C:\RECYCLED\REGCTRL.EXE (visible from a DOS prompt, not from within Windows)

Presence of C:\REGCTRL.EXE

Presence of %userprofile%\Start Menu\Programs\Startup\msstask.exe

Method of Infection

Method of Infection -

Executing an infected attachment causes the worm to email itself to addresses found on the system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Myparty.b@MM