FANDOM


Myparty is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, 76K decompressed), and it is written in Microsoft Visual C++.

Infected messages appear as follows:

Myparty email

The message.

The worm activates from infected e-mail only when a user double-clicks on the attached file. The worm then installs itself to the system and runs a spreading routine.

Behaviour

Installation

While installing, the worm copies itself to: c:\regctrl.exe - under Win9x/ME
c:\recycled\regctrl.exe - under WinNT/2K/XP

and spawns this copy. When the worm's file name is not ".com" (as in the attachment), but rather ".exe" (the worm is re-named), it also opens the Web page "http://www.disney.com".

The original file (as it was run from an infected e-mail) is moved to the Recylced or Recycler directory with one of the following names: C:\RECYCLER\F-%1-%2-%3
C:\RECYCLED\F-%1-%2-%3, where %1, %2, %3 are randomly selected numbers, for example: F-12158-19044-21300, F-27729-23255-31008. While installing, the worm checks the keyboard layout set, and when there is Russian keyboard support, the worm copies itself to Recycled/Recycler in the same way and exits. This is the same on any date except for 25–29 January 2002.

As a result, the worm works only from 25 until 29 January 2002, and only on machines without Russian keyboard support.

Spreading

To send infected messages, the worm uses a direct SMTP connection to an e-mail server. To obtain a victim's e-mail addresses, the worm scans WAB files (Windows Address Book) and *.DBX files (Outlook Express).

The worm also sends one e-mail (without an attachment) to "napster@gala.net".

Backdoor

Under WinNT/2000/... the worm also creates a new file in a user's auto-run directory: %Userprofile%\Start Menu\Programs\Startup\msstask.exe and writes a backdoor program to there. This backdoor is run by data that are stored in a file at the website "http://209.151.250.170".

Known Variants

Myparty.b

This one is a slightly modified 'a' version. The differences are: The attached file name is "myparty.photos.yahoo.com".

Aliases

  • Email-Worm.Myparty.a (Kaspersky Lab)
  • I-Worm.Myparty.a (Kaspersky Lab)
  • Virus: W32/Myparty.eml (McAfee)
  • Virus: W32/Myparty.a@MM (McAfee)
  • W32/MyParty-A (Sophos)
  • W32.Myparty.B (ClamAV)
  • W32/Myparty@MM (Panda)
  • W32/Myparty.A@mm (FPROT)
  • Worm:Win32/Myparty.A@mm (MS(OneCare))
  • Win32.HLLM.MyParty.1 (DrWeb)
  • Win32/Myparty.A worm (Nod32)
  • Win32.Generic.5413 (BitDef7)
  • I-Worm.Myparty.a (VirusBuster)
  • Win32:MyParty [Wrm] (AVAST)
  • Email-Worm.Win32.Myparty (Ikarus)
  • I-Worm/MyParty.A (AVG)
  • WORM/MyParty.A (AVIRA)
  • W32.Myparty@mm (NAV)
  • MyParty.A@mm (Norman)
  • Worm.Mail.Myparty.a (Rising)
  • Email-Worm.Win32.Myparty.a [AVP] (FSecure)
  • WORM_MYPARTY.A (TrendMicro)
  • Email-Worm.Win32.Myparty.A (Sunbelt)
  • I-Worm.Myparty.a (VirusBusterBeta)

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.