Date: Tue, 29 Jan 2002 00:19:34 -0500 (EST) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Myparty Worm ------------------------------------------ MYPARTY WORM SPREADS BY E-MAIL, INSTALLS BACK DOOR TROJAN ON WINDOWS NT/2000/XP PCs ------------------------------------------ A new PC virus called the Myparty Worm (and a variety of other names containing "Myparty") has spread rapidly around the Internet via e-mail in the past few days. Two strains of Myparty have been identified, known as Myparty.A and Myparty.B. They are transmitted via e-mail having the following characteristics: Subject: new photos from my party! Message Text: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! File Attachment (Myparty.A): www.myparty.yahoo.com File Attachment (Myparty.B): myparty.photos.yahoo.co If the recipient opens the attachment, his/her PC will be infected. How the worm then behaves depends on whether it is the A or B strain, what the date is, and what version of Windows is on the PC. If the date is between January 25 - 29, 2002, Myparty.A mails infected messages to addresses found in the Outlook or Outlook Express address book on the infected PC and to addresses found in mail stored on the infected PC. Myparty.B does the same, but between January 20 - 24, 2002. The infected e-mail has the e-mail address of the infected PC's owner on the "From:" line, so in many cases it will appear to have been sent by someone you know. Those date ranges will be past by the time most of you read this, and the Myparty Worm will (in theory) no longer be spreading via e-mail. However there are after effects you may need to worry about, depending on which version of Windows you use. The Myparty Worm uses infected PCs with Windows 95, Windows 98 and Windows ME to spread itself via e-mail, but on those versions of Windows there are no known after effects once the date ranges described above are past. However on infected PCs running Windown NT, Windows 2000 and Windows XP, in addition to spreading via e-mail the Myparty Worm also installs a file called MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan that allows the author of Myparty to control the infected PC, and to use it for various purposes. MSSTASK.EXE accomplishes this by connecting to a Web site at IP address 209.151.250.170. A CGI script on that site then passes commands back to MSSTASK.EXE, which executes them on the infected PC. The Myparty author determines what commands are to be run by altering the CGI script. For more information about the Myparty.A and Myparty.B worms, including instructions for removing them, see: http://www.F-Secure.com/v-descs/myparty.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=99332& http://www.symantec.com/avcenter/venc/data/w32.myparty@mm.html http://www.symantec.com/avcenter/venc/data/w32.myparty.b@mm.html -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091