Home / malware Win32.Myparty.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Myparty.A@mm is also known as W32/Myparty@mm.
Explanation :
It arrives in the following format:
Subject: New photos from my party!
Body:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com
When the user executes the attachment the worm checks its own name for some string patterns. If its name contains ACCESS it will copies itself in C:RECYCLED or in C: with the name regctrl.exe. If its name contains COM it will execute the regctrl.exe and if the name contains EXE it will start the e-mail spreading routine.
If something goes wrong or the date is not between 01-25-2002 and 01-29-2002 it will try to rename itself in C:RECYCLED with a random name in the following format: F-x-x-x-x.exe where x is a random number.
If everything was ok it will drop a Trojan in StartUp folder with the name msstask.exe
The worm only works between 01-25-2002 and 01-29-2002.
The worm searches for e-mail addresses in Outlook Express e-mail box and in all .dbx files it finds in My Documents folder. Then it sends itself to all those addresses and for each infected e-mail it sends another one at the address: napster@gala.netLast update 21 November 2011
