Posted by Joe Cimoch on Monday, January 28, 2002 at 3:20PM :
Delete it if you get it.
Virus Characteristics
This mass-mailing worm drops a BackDoor trojan (BackDoor-AAF) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:
Subject: new photos from my party!
Body: Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com (29,696 byte PE file)
The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. This attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine. The virus copies itself to C:\Recycled\regctrl.exe and executes that file. The users default SMTP server is retrieved from the registry.
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001
The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.
This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002.