Not Everything Starting with "www" and Ending in ".com" Is a Web Site

28 Jan 2002
Virus News

Kaspersky Lab, an international data-security software developer, announces the detection of a new Internet worm going by the name of Myparty that spreads via e-mail. At this time, several incidents of infection by this malicious code have already been reported.

The worm appears on a target computer as a file attached to an e-mail message. The file is a Windows application about 30Kb in length, it is written in Microsoft Visual C++, and is compressed in a UPX utility.

An infected message appears as follows:

As is apparent, the file carrier purposely poses as a Web-site address. A user's trust is taken into account so that when double-clicking on the enclosure, the said user ends up at some Internet address. However, what actually occurs is that a malicious program is activated upon enclosure opening.

"This is definitely a new technique for manipulating a user that is uniquely employed by 'Myparty' to have already caused a series of infections. The rest of the program is a classic Internet worm that is not differentiated from hundreds of similarly created Internet worms," commented Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "This occurrence once again confirms that not everything beginning with 'www' and ending in '.com' is a Web site."

If the system date on a computer is 25-29 of January 2002, Myparty launches its installation and spreading routines. In addition to this, the worm checks for the presence of Russian-language support and if this is detected, the worm finishes its operation and exits a system.

In order to maintain its presence in the memory, upon each infected-computer start-up, the worm creates its copy in different disk directories and registers them in the Windows system registry of the program auto-start section.

In order to send its copies via e-mail, the worm scans the Windows Address Book and DBX (also used in Outlook Express) databases and checks these with all found addresses. Following this, the worm installs a direct connection with a remote SMTP server and imperceptibly, supposedly in the name of the infected computer's user, sends its copies to these addresses. In order to confirm an infection, the worm also sends a blank e-mail to the napster@gala.net address.

Myparty has some dangerous side effects. On computers with Windows NT/2000/XP, the worm installs a spy program for remote unauthorized control. In this way, a malefactor can gain total control over a victim's computer.

In addition to this, depending on a number of conditions, Myparty opens the http://www.disney.com Web site in the current Internet browser window.

Defense procedures thwarting Myparty have already been added to the Kaspersky Anti-Virus database.

A more detailed description of this Internet worm can be found in the Kaspersky Virus Encyclopedia.