The biggest worm of the year has struck, and it's no party.
When executed, W32.MyParty-A@mm, also known as MyParty, spreads using its own e-mail engine via Outlook, Outlook Express and Exchange and drops a backdoor program called Msstake-A, into the infected system. MessageLabs reported seeing more than 9,700 copies at 5 p.m. Monday.
MyParty will be short-lived, however. The worm will only spread until late today because its author set it to spread between Jan. 24 and Jan. 29, said Roger Thompson, technical director of malicious code research for TruSecure.
MyParty arrives in an e-mail with the subject line: "new photos from my party!" The virus is executed when a user clicks on the attachment that arrives in the form of a URL: "www.myparty.yahoo.com," thus fooling some into thinking it's a link to a Web site.
The message comes with the following text:
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
The worm is cloaked as an executable link to the site but is really about 30 KB of malicious code written in Visual C++, said Chris Wraight, technical director with Sophos. When executed, it sends copies of itself to everyone in the Windows address book but not the infected users. MyParty also sends a message to email@example.com, probably so the writer can track the worm's progress, Wraight said.
MyParty drops Troj/Msstake-A, a backdoor Trojan, in infected machines. The Trojan could allow someone to gain remote access of the machine over a network. Virus experts contacted by searchSecurity report no known exploitations of the Trojan.
It's not known which versions of Windows are affected by the malicious code, but Thompson found during tests that it spreads on machines running both Windows 2000 and Windows XP. But the backdoor wasn't installed in the XP box, he said.
The morale of MyParty is that users should be suspicious whenever "they receive an unsolicited e-mail with an attachment, even from a friend or family member," Wraight said.