Article

Four new 'nuisance' MyLife variants in circulation

Edward Hurley, Assistant News Editor

The writer of the last month's Bill Clinton worm appears to be back at it again.

Several variants of W32/MyLife are making their way around. MyLife-A first reared its head two weeks ago featuring a cartoon of Bill Clinton playing a saxophone while it infected the system.

FOR MORE INFORMATION:

    Requires Free Membership to View

See this searchSecurity exclusive, "Clinton worm tries to delete drives, files"

See this searchSecurity exclusive, "MyParty will be a short one"

Best Web Links on Malware such as worms

Archived Featured Topic: Virus busters

Have a question about viruses or worms? Pose it here with the searchSecurity site experts

This time around, the worm shows various bogus error messages when opened. But like MyLife-A, the new worms copy themselves to the Windows system directory and change registry keys. The worms then harvest e-mail addresses from users' Outlook address books and send copies of themselves out.

The MyLife variants, four thus far, arrive appearing as a screensaver attached to an e-mail. Each message has a line indicating the mail has been scanned by McAfee. Oddly enough, the message contains similar spelling errors as the first version of MyLife, which is also known as W32/Caric-A. This time around, virus is spelled "viruse." Other creative spellings include writing "bye" as "buyyyy."

The poor spelling is a tip-off to e-mail recipients and will likely slow the worms' progress, antivirus experts say. They don't expect the worms to infect a lot of machines.

"This worm got lucky," said Roger Thompson, TruSecure's technical director of malicious code research. "What I mean by that is someone with a big address book opened it."

"But it just a nuisance-level attack," he added. "We get one or two of them a month and probably will always get them."

Organizations that block .scr or double extension files at the gateway would be safe from MyLife. Some variants are simply .scr files while others have the double extension of .txt.scr. "I think MyParty has woken a lot of companies up to the dangers (of allowing in certain file extensions)," said Chris Wraight, technical director with Sophos.

MyParty spread in late January masquerading as a hyperlink to a Yahoo page featuring pictures of the sender's family vacation. Some antivirus experts recommend blocking .com files along with executables at the gateway to prevent such infections.

Even if some of the new versions of MyLife get through, some antivirus software will catch them without being updated, as it is similar to the previous version, Thompson said. To be safe, however, users should update their virus definitions, he said.

Following are the subject lines and messages for each of the variants:

W32/MyLife-C:
Subject: The List

Message:
Hiiiii
How are youuuuuuuu?
Here is that Notepad you asked for ... don't show anyone else ;-)
Notepad = list
list = 137
buyyyy
========No Viruse Found========
                   MCAFEE.COM

Attached file: List.TXT.scr
W32/MyLife-D:
Subject: New Screen Saver

Message:
Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
                   MCAFEE.COM

Attached file: Screen.scr
W32/MyLife-E:
Subject: sexxxyyy Screen Saver
or
New Screen Saver

Message:
Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buyyyy
========No Viruse Found========
                   MCAFEE.COM

Attached file: Screen.scr
W32/MyLife-F:
Subject: the list

Message:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
========No Viruse Found========
                   MCAFEE.COM

Attached file: list480.txt.scr

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: