W32/MyLife.b@MM
Aliases:
W32.Caric@mm (Symantec), Win32.MyLife.B (CA), Win32/Cari.Worm (CA)
We have seen a large and growing number of computers infected with W32/MyLife.b@MM. This is a MEDIUM RISK virus but is spreading fast.
This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook to send itself to all addresses in the Outlook Address book and addresses on the MSN Messenger contact list. It arrives in an email containing the following information:
Subject: bill caricature
Attachment: cari.scr
The attachment is a UPX packed PE file. When executed on the local
machine, the following image is displayed whilst the worm copies
itself to the System folder, and uses Outlook to propagate itself to all
address found in the Outlook Address book and addresses on the MSN Messenger
contact list.
The following Registry key is added to ensure the worm is executed at subsequent system startup:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\win=C:\WINDOWS\SYSTEM\cari.scr
Upon restarting the machine, the worm does not propagate again, and the above image is not displayed. When the worm is run from the SYSTEM directory and the hour is 8am, the worm deletes the following files:
* *.* from C:\ D:\ E:\ and F:\
* *.SYS, *.VXD, *.OCX and *.NLS from C:\WINDOWS\SYSTEM
The most likely scenario for this occurrence is for a system to become
infected on one day, and the system files to be deleted the next, when
the machine is rebooted or powered on in the morning.
Indications Of Infection:
* Presence of: cari.scr (41,984 bytes) in the
system directory.
* Messages bearing the properties described above
in your 'Sent Mail' folder.
Method Of Infection:
When executed, the worm propagates itself to all addresses found
in the Outlook Address book and addresses on the MSN Messenger contact
list, using Microsoft Outlook. The worm copies itself to the System folder,
modifying the Registry to run this copy at subsequent startup.
Removal Instructions: McAfee have added DAT files for detection and removal.
In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected
files automatically to the C:\_Restore folder. This means that an infected
file could be stored there as a backup file, and VirusScan will be unable
to delete these files. The following instructions explain how to remove
the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop, and choose Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility,
follow steps 1-9 and on step 5 remove the check mark next to "Disable System
Restore". The infected file's are removed and the System Restore is once
again active.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
220302/051004
