-
January 28th, 2002, 10:34 AM
#1
Risk Assessment: Medium for W32/Myparty@MM
Information from NAI and initial warning from Trend Micro..
Summary
Virus Name: W32/Myparty@MM
Risk Assessment: Medium
Virus Information
Discovery Date: 01/27/2002
Origin: Unknown
Length: 29,696 bytes
Type: Virus
SubType: E-mail
Minimum Dat: 4184
Minimum Engine: 4.0.70
DAT Release Date: 01/30/2002
Description Added: 01/27/2002
Description Updated: 01/27/2002 11:43 PM (PT)
Virus Characteristics
Due to the number of samples AVERT received Sunday night, an EXTRA.DAT has been posted. AVERT continues to monitor the prevalence of this threat. This mass-mailing worm arrives in an email message containing the following information:
Subject: new photos from my party!
Body: Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com (29,696 byte PE file)
Running the attachment infects the local machine. The virus copies itself to c:\Recycled\regctrl.exe and executes that file. The users default SMTP server is retrieved from the registry. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.
-
January 28th, 2002, 01:42 PM
#2
Is it just me or all the "viruses" coming out directed at just using Outlook/Outlook Express as a local bitch and sending everyone in their address book a copy of said letter? You've got to be kidding me. To all those idiots writing "viruses" for mail worms: you suck. Give it up... It's like saying "Yeah, I owned him/her/it" after DDoSing some poor slob off the net with your "zombies" which are illegally obtained. Did I say you suck already? And what's even worse, while this existed 6-8 years ago (these problems and such), it wasn't nearly as prevalent as it is now. Buncha script kiddy I'm-using-mommy-and-daddy's-computer-and-cable-modem fscknuts...
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
January 29th, 2002, 10:59 PM
#3
Hehee one of da reasons why i dont use outlook...
-
January 29th, 2002, 11:08 PM
#4
Yea, it looks like using MS Outlook is like walking through fire while you're covered in gasoline holding a stick of dynamite - it's a damn death trap. It is funny how it seems as if every virus does use Outlook in some form or another. Of course, it is a Microsoft product. Maybe with Microsoft on this new found security kick, they'll start getting down and fixing all of the problems with Outlook.
But to my knowledge, this latest threat, MyParty, doesn't do anything harmful to your box - it just mails itself to everyone it can. Big deal, what's the point? Maybe somebody just wanting to see if they could do it?
-
January 29th, 2002, 11:11 PM
#5
we use eudora...first thing i do on a new win2k box is delete all instances of OE icons...which isn't easy they show up eveywhere...and after every IE update...ya gotta do it all over...
win2k doesn't like you delete or uninstall OE...its part of windows protected file system...but just to be sure...i deny permission access to progfiles\outlook express...then if someone "accidently" tries to use it...they can't...
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
January 29th, 2002, 11:19 PM
#6
Originally posted by Maverick811
. . .But to my knowledge, this latest threat, MyParty, doesn't do anything harmful to your box - it just mails itself to everyone it can. Big deal, what's the point? Maybe somebody just wanting to see if they could do it?
It does not damage the end users system but if it get lose in a company of say 2500 users and the users foolishly click on the attachment button it can bring exchange to its knees if not bringing it down. That is the danger with that type of virus. Please no commens of the ease of breakin m$ products.
Cheers,
-D
-
January 29th, 2002, 11:23 PM
#7
Originally posted by zigar
we use eudora...first thing i do on a new win2k box is delete all instances of OE icons...which isn't easy they show up eveywhere...and after every IE update...ya gotta do it all over...
win2k doesn't like you delete or uninstall OE...its part of windows protected file system...but just to be sure...i deny permission access to progfiles\outlook express...then if someone "accidently" tries to use it...they can't...
Yea, I know what you are saying - Windows is in love with Outlook Express - Not only does it magically appear with every IE update, but I've explicitly told the installer for Office not to install OE and it does it anyway, just after I finished cleaning OE completely off the system.
We use Eudora too - I haven't heard of any exploits that take advantage of Eudora, but that's not to say there aren't any.
-
January 29th, 2002, 11:30 PM
#8
But to my knowledge, this latest threat, MyParty, doesn't do anything harmful to your box - it just mails itself to everyone it can. Big deal, what's the point? Maybe somebody just wanting to see if they could do it?
well thats what a worm is all about.. incase some of the readers here doesnt know what worm really means (and im not pointing any fingers) worm means "Write Once Read Many" which means ill go write a worm once and let it go spread around...
The difference between a worm and a virus is that a worm's sole task is to spread.. thats all.. while a virus is intentionally programmed to do damage..
The worm may cause damage but surely thats not what the writter intended to do.. he/she just wants his/her work to be known to the world w/o the intention of harming anyone...
-
January 30th, 2002, 12:29 AM
#9
Windows is in love with Outlook Express
hehe..you -can- delete OE files...i'm just setting up 6 new boxes...and since we were talkin about this i decided to see what i could do...
if you remove all propogated permissions to the OE directory...except for your admin account...you can delete the files...and since -system- has had it's permissions removed as well...it can't re-install the OE files...you do get nine or so entries in the event log..and i expect they'll show up on boot every time as win tries to "repair" itself....so i'll prob reset the permissions...but ooooo...it feels good to hit del *.* and see all those POS files disappear...if only but for a moment...hehe
(ya ya ok...maybe a bit crazy...but i've spent all day tracking down an active directory problems...and that SUCKS)
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
January 30th, 2002, 06:34 AM
#10
Senior Member
couple of things:
1. For me, in a global organization that grows by buying other companies, its not possible to avoid Outlook and it's various mutant brothers .... gotta defend and be ever-vigilant....
2. the virus doesn't merely install it's own smtp processes and go balistic mailing stuff out ... it also installs a backdoor trojan that the AV vendors are treating as a separate entity since it's not new variant but recycled code.
From McAffee: Once running, the backdoor tries to connect to the following IP address: 209.151.250.170 in order to download the command file that operates the backdoor.
That's where the real danger is. MyParty is a front for setting up reconaissance for future attacks. Someone compiling a list of vulnerable systems.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
Noah built the ark BEFORE it rained.
http://ld.net/?rn
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|