Win32.MyLife.C@mm

( N/A )
Ausbreitung : low
Schaden : high
Size: 7680 bytes (~ 41 KB when unpacked)
Entdeckt : 2005 May 30

SYMPTOMS:

- File "List.TXT.scr" in the Windows System folder;
- The "sys" entry in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key; the value of this entry refers the file named above:



TECHNICAL DESCRIPTION:


This virus is another sequel to Win32.MyLife.A@mm: a mass-mailer that uses Microsoft Outlook to send itself to the user's contacts, written in Visual Basic and packed using the UPX packer.

It arrives as an attachment to an e-mail message in this format:

Subject:The List
Body:
Hiiiii
How are youuuuuuuu?
Here is that Notepad you asked for ... don't show anyone else ;-)
Notepad = list
list = 137
buyyyy

========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------

Attachement: "List.TXT.scr" (size: ~ 8 KB)







The attachment's filename extension is (as before) chosen to fool the user into thinking it is a Windows screen-saver. When run, the virus first displays an "error" message box:






then drops a copy of itself in the Windows System folder and registers it to be run each time the "infected" user logs on to Windows. The virus will send copies of itself to all the user's contacts in the Address Book and MSN Messenger's Contact List, by creating e-mail messages in the format described above.
As a payload, the virus attempts (under certain conditions, such as a specific day and minute of the hour) to format some hard-disk partitions (D:, E:, F:, G:, H:, I:) and to delete all of the folders in the C: hard-disk partitions; the result of this action, if successful, would be the loss of almost all of the data on the user's hard-disk(s). The virus will also display the message \"LoOoOoL\" while erasing the data.

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the sys key value from:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.MyLife.C@mm.


ANALYZED BY:

Bogdan Dragu BitDefender Virus Researcher