Security Management Strategies for the CIOThe writer of the last month's Bill Clinton worm appears to be back at it again.
Several variants of W32/MyLife are making their way around. MyLife-A first reared its head two weeks ago featuring a cartoon of Bill Clinton playing a saxophone while it infected the system.
|
Requires Free Membership to View
This time around, the worm shows various bogus error messages when opened. But like MyLife-A, the new worms copy themselves to the Windows system directory and change registry keys. The worms then harvest e-mail addresses from users' Outlook address books and send copies of themselves out.
The MyLife variants, four thus far, arrive appearing as a screensaver attached to an e-mail. Each message has a line indicating the mail has been scanned by McAfee. Oddly enough, the message contains similar spelling errors as the first version of MyLife, which is also known as W32/Caric-A. This time around, virus is spelled "viruse." Other creative spellings include writing "bye" as "buyyyy."
The poor spelling is a tip-off to e-mail recipients and will likely slow the worms' progress, antivirus experts say. They don't expect the worms to infect a lot of machines.
"This worm got lucky," said Roger Thompson, TruSecure's technical director of malicious code research. "What I mean by that is someone with a big address book opened it."
"But it just a nuisance-level attack," he added. "We get one or two of them a month and probably will always get them."
Organizations that block .scr or double extension files at the gateway would be safe from MyLife. Some variants are simply .scr files while others have the double extension of .txt.scr. "I think MyParty has woken a lot of companies up to the dangers (of allowing in certain file extensions)," said Chris Wraight, technical director with Sophos.
MyParty spread in late January masquerading as a hyperlink to a Yahoo page featuring pictures of the sender's family vacation. Some antivirus experts recommend blocking .com files along with executables at the gateway to prevent such infections.
Even if some of the new versions of MyLife get through, some antivirus software will catch them without being updated, as it is similar to the previous version, Thompson said. To be safe, however, users should update their virus definitions, he said.
Following are the subject lines and messages for each of the variants:
W32/MyLife-C:Subject: The ListW32/MyLife-D:
Message:
Hiiiii
How are youuuuuuuu?
Here is that Notepad you asked for ... don't show anyone else ;-)
Notepad = list
list = 137
buyyyy
========No Viruse Found========
MCAFEE.COM
Attached file: List.TXT.scr
Subject: New Screen SaverW32/MyLife-E:
Message:
Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
MCAFEE.COM
Attached file: Screen.scr
Subject: sexxxyyy Screen SaverW32/MyLife-F:
or
New Screen Saver
Message:
Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buyyyy
========No Viruse Found========
MCAFEE.COM
Attached file: Screen.scr
Subject: the list
Message:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
========No Viruse Found========
MCAFEE.COM
Attached file: list480.txt.scr
Join the conversationComment
Share
Comments
Results
Contribute to the conversation