...And I'll Cry if I Want To

by Jim Freund

It's MyParty -- the first pervasive virus written in the new year to make the rounds. While the trigger date has passed, the Trojan/worm can still cause quite a hangover if you're not prepared. We tell you what to look for, what the symptoms are, what the payload will do, and how to remove the malicious program from your system.

MyParty is the first pervasive virus written in the new year to make the rounds This particular worm doesn't hold any new threat or innovation that we haven't seen before, is fairly easy to contain and remove, but it is fairly infectious and like all such creatures, can be a nuisance if triggered. Its primary dangers are the usual mass mailing, and more significantly, a payload which includes a back door Trojan.

What to Look For
The virus is most commonly delivered as an e-mail that appears as follows:

Subject: new photos from my party!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com

The attachment name is part of the social engineering scheme at play. Some unsuspecting users will associate the extension with an URL, but of course .COM signifies an executable, which will infect the machine if launched.

The Payload
The first part of the payload is already passé. From the dates January 25-29, 2002, the program will attempt to send mail to everyone in your Outlook and Windows address books. An e-mail is also sent to napster@gala.net, presumably for the author(s) to track its course. This may also include the user's default SMTP server, which will have been gleaned from the registry entry at HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 on NT-based systems.

Outside of the infection itself, this is not much to worry about, though doubtless some slow e-mail systems or mis-set clocks will provide a straggler or two.

More insidiously, on Windows 2000, NT, and XP systems, on those same dates, the worm can copy itself to the c:\recycled folder as f-[random number]- [random number]- [random number]. (No extension.) In some variants, it may be copied as c:\recycled\regctrl.exe. Outside of January 25-29, the worm will not stay completely dormant, however. It will instead copy itself to c:\regctrl.exe, and place msstask.exe in the startup folder. This file is a Trojan know as BackDoor, and has several variants. In this case once running it will try to connect to in an attempt to download the command file and take control of the infected machine.

There are some different variants to MyParty which have slightly different behavior patterns outside of the trigger dates. Some remain dormant, but some are deadly. It is best to be vigilant.

On Windows 9x/ME, start the computer in Safe mode. If running NT/2K/XP, press [Ctrl][Alt][Del] and select Task Manager | Processes. Look to see if msstask.exe is running (and be sure it's not mstask.exe -- a legit Windows program) and if so, end the process.

Now, using your preferred (updated!) anti-virus software, scan the complete system and let it cleanse the machine.

As always, make sure you have the latest anti-viral signatures, security patches, and have altered Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and be sure to educate your users about attachments. (For more discussion on that topic, see Dealing With Network Security Scofflaws.)

Interestingly, the virus will remain mostly dormant if your keyboard settings are set to Russian characters, so one other (but less productive) protection would be to get out your language translation book...

Ne pooha ne perha! (Good luck!)

Jim Freund is the Managing Editor of CrossNodes.

This article was originally published on Thursday Jan 31st 2002