Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Risk Assessment: Medium for W32/Myparty@MM

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Risk Assessment: Medium for W32/Myparty@MM

    Information from NAI and initial warning from Trend Micro..

    Summary
    Virus Name: W32/Myparty@MM
    Risk Assessment: Medium

    Virus Information
    Discovery Date: 01/27/2002
    Origin: Unknown
    Length: 29,696 bytes
    Type: Virus
    SubType: E-mail
    Minimum Dat: 4184
    Minimum Engine: 4.0.70
    DAT Release Date: 01/30/2002
    Description Added: 01/27/2002
    Description Updated: 01/27/2002 11:43 PM (PT)

    Virus Characteristics
    Due to the number of samples AVERT received Sunday night, an EXTRA.DAT has been posted. AVERT continues to monitor the prevalence of this threat. This mass-mailing worm arrives in an email message containing the following information:

    Subject: new photos from my party!
    Body: Hello!

    My party... It was absolutely amazing!
    I have attached my web page with new photos!
    If you can please make color prints of my photos. Thanks!

    Attachment: www.myparty.yahoo.com (29,696 byte PE file)

    Running the attachment infects the local machine. The virus copies itself to c:\Recycled\regctrl.exe and executes that file. The users default SMTP server is retrieved from the registry. HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001 The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.

  2. #2
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Is it just me or all the "viruses" coming out directed at just using Outlook/Outlook Express as a local bitch and sending everyone in their address book a copy of said letter? You've got to be kidding me. To all those idiots writing "viruses" for mail worms: you suck. Give it up... It's like saying "Yeah, I owned him/her/it" after DDoSing some poor slob off the net with your "zombies" which are illegally obtained. Did I say you suck already? And what's even worse, while this existed 6-8 years ago (these problems and such), it wasn't nearly as prevalent as it is now. Buncha script kiddy I'm-using-mommy-and-daddy's-computer-and-cable-modem fscknuts...
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    Hehee one of da reasons why i dont use outlook...

  4. #4
    Yea, it looks like using MS Outlook is like walking through fire while you're covered in gasoline holding a stick of dynamite - it's a damn death trap. It is funny how it seems as if every virus does use Outlook in some form or another. Of course, it is a Microsoft product. Maybe with Microsoft on this new found security kick, they'll start getting down and fixing all of the problems with Outlook.

    But to my knowledge, this latest threat, MyParty, doesn't do anything harmful to your box - it just mails itself to everyone it can. Big deal, what's the point? Maybe somebody just wanting to see if they could do it?
    - Maverick

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    we use eudora...first thing i do on a new win2k box is delete all instances of OE icons...which isn't easy they show up eveywhere...and after every IE update...ya gotta do it all over...

    win2k doesn't like you delete or uninstall OE...its part of windows protected file system...but just to be sure...i deny permission access to progfiles\outlook express...then if someone "accidently" tries to use it...they can't...

    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  6. #6
    Senior Member
    Join Date
    Jul 2001
    Posts
    420
    Originally posted by Maverick811
    . . .But to my knowledge, this latest threat, MyParty, doesn't do anything harmful to your box - it just mails itself to everyone it can. Big deal, what's the point? Maybe somebody just wanting to see if they could do it?
    It does not damage the end users system but if it get lose in a company of say 2500 users and the users foolishly click on the attachment button it can bring exchange to its knees if not bringing it down. That is the danger with that type of virus. Please no commens of the ease of breakin m$ products.

    Cheers,

    -D

  7. #7
    Originally posted by zigar
    we use eudora...first thing i do on a new win2k box is delete all instances of OE icons...which isn't easy they show up eveywhere...and after every IE update...ya gotta do it all over...

    win2k doesn't like you delete or uninstall OE...its part of windows protected file system...but just to be sure...i deny permission access to progfiles\outlook express...then if someone "accidently" tries to use it...they can't...


    Yea, I know what you are saying - Windows is in love with Outlook Express - Not only does it magically appear with every IE update, but I've explicitly told the installer for Office not to install OE and it does it anyway, just after I finished cleaning OE completely off the system.

    We use Eudora too - I haven't heard of any exploits that take advantage of Eudora, but that's not to say there aren't any.
    - Maverick

  8. #8
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    But to my knowledge, this latest threat, MyParty, doesn't do anything harmful to your box - it just mails itself to everyone it can. Big deal, what's the point? Maybe somebody just wanting to see if they could do it?

    well thats what a worm is all about.. incase some of the readers here doesnt know what worm really means (and im not pointing any fingers) worm means "Write Once Read Many" which means ill go write a worm once and let it go spread around...

    The difference between a worm and a virus is that a worm's sole task is to spread.. thats all.. while a virus is intentionally programmed to do damage..

    The worm may cause damage but surely thats not what the writter intended to do.. he/she just wants his/her work to be known to the world w/o the intention of harming anyone...

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    Windows is in love with Outlook Express

    hehe..you -can- delete OE files...i'm just setting up 6 new boxes...and since we were talkin about this i decided to see what i could do...

    if you remove all propogated permissions to the OE directory...except for your admin account...you can delete the files...and since -system- has had it's permissions removed as well...it can't re-install the OE files...you do get nine or so entries in the event log..and i expect they'll show up on boot every time as win tries to "repair" itself....so i'll prob reset the permissions...but ooooo...it feels good to hit del *.* and see all those POS files disappear...if only but for a moment...hehe

    (ya ya ok...maybe a bit crazy...but i've spent all day tracking down an active directory problems...and that SUCKS)
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    157
    couple of things:
    1. For me, in a global organization that grows by buying other companies, its not possible to avoid Outlook and it's various mutant brothers .... gotta defend and be ever-vigilant....

    2. the virus doesn't merely install it's own smtp processes and go balistic mailing stuff out ... it also installs a backdoor trojan that the AV vendors are treating as a separate entity since it's not new variant but recycled code.

    From McAffee: Once running, the backdoor tries to connect to the following IP address: 209.151.250.170 in order to download the command file that operates the backdoor.
    That's where the real danger is. MyParty is a front for setting up reconaissance for future attacks. Someone compiling a list of vulnerable systems.
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=
    Noah built the ark BEFORE it rained.


    http://ld.net/?rn
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-==-=

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •