My Party virus - just in case


[Follow Ups] [Post Followup] [Dodge Power Wagon Forum]


Posted by Joe Cimoch on Monday, January 28, 2002 at 3:20PM :

Delete it if you get it.

Virus Characteristics

This mass-mailing worm drops a BackDoor trojan (BackDoor-AAF) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:

Subject: new photos from my party!
Body: Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com (29,696 byte PE file)

The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. This attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine. The virus copies itself to C:\Recycled\regctrl.exe and executes that file. The users default SMTP server is retrieved from the registry.
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001
The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.

This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002.




Follow Ups:



Post a Followup

Name:
E-Mail:
Subject:
Message:
Optional Link
URL:
Title:
Optional Image Link
URL:


This board is powered by the Mr. Fong Device from Cyberarmy.com