McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Caric@mm (Symantec)

• Win32.MyLife.B (CA)

• Win32/Cari.Worm (CA)

Characteristics

-- Update 4/03/2002 --
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Low.

This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook to send itself to all addresses in the Outlook Address book and addresses on the MSN Messenger contact list. It arrives in an email containing the following information:

Subject:	bill caricature
Attachment:	cari.scr

The attachment is a UPX packed PE file. When executed on the local machine, the following image is displayed whilst the worm copies itself to the System folder, and uses Outlook to propagate itself to all address found in the Outlook Address book and addresses on the MSN Messenger contact list:

The following Registry key is added to ensure the worm is executed at subsequent system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\win=C:\WINDOWS\SYSTEM\cari.scr

Upon restarting the machine, the worm does not propagate again, and the above image is not displayed. When the worm is run from the SYSTEM directory and the hour is 8am, the worm deletes the following files:

• *.* from C:\ D:\ E:\ and F:\
• *.SYS, *.VXD, *.OCX and *.NLS from C:\WINDOWS\SYSTEM

The most likely scenario for this occurrence is for a system to become infected on one day, and the system files to be deleted the next, when the machine is rebooted or powered on in the morning.

Symptoms

• Presence of: cari.scr (41,984 bytes) in the system directory.
• Messages bearing the properties described above in your 'Sent Mail' folder.

Method of Infection

When executed, the worm propagates itself to all addresses found in the Outlook Address book and addresses on the MSN Messenger contact list, using Microsoft Outlook. The worm copies itself to the System folder, modifying the Registry to run this copy at subsequent startup.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Caric@mm (Symantec)

• Win32.MyLife.B (CA)

• Win32/Cari.Worm (CA)

Characteristics

Characteristics -

-- Update 4/03/2002 --
Due to a decrease in prevalence, the risk assessment for this threat was lowered to Low.

This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook to send itself to all addresses in the Outlook Address book and addresses on the MSN Messenger contact list. It arrives in an email containing the following information:

Subject:	bill caricature
Attachment:	cari.scr

The attachment is a UPX packed PE file. When executed on the local machine, the following image is displayed whilst the worm copies itself to the System folder, and uses Outlook to propagate itself to all address found in the Outlook Address book and addresses on the MSN Messenger contact list:

The following Registry key is added to ensure the worm is executed at subsequent system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\win=C:\WINDOWS\SYSTEM\cari.scr

Upon restarting the machine, the worm does not propagate again, and the above image is not displayed. When the worm is run from the SYSTEM directory and the hour is 8am, the worm deletes the following files:

• *.* from C:\ D:\ E:\ and F:\
• *.SYS, *.VXD, *.OCX and *.NLS from C:\WINDOWS\SYSTEM

The most likely scenario for this occurrence is for a system to become infected on one day, and the system files to be deleted the next, when the machine is rebooted or powered on in the morning.

Symptoms

Symptoms -

• Presence of: cari.scr (41,984 bytes) in the system directory.
• Messages bearing the properties described above in your 'Sent Mail' folder.

Method of Infection

Method of Infection -

When executed, the worm propagates itself to all addresses found in the Outlook Address book and addresses on the MSN Messenger contact list, using Microsoft Outlook. The worm copies itself to the System folder, modifying the Registry to run this copy at subsequent startup.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A