CERTŪ Incident Note IN-2002-01

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet
community.

W32/Myparty Malicious Code

Release Date: January 28, 2002

A complete revision history can be found at the end of this file.

Systems Affected

 Systems running Microsoft Windows

Overview

"W32/Myparty" is malicious code written for the Windows platform that spreads as an email file attachment.
The malicious code makes use of social engineering to entice a user to execute it. The W32/Myparty payload is
non-destructive.

As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received reports of W32/Myparty from several
dozen individual sites.

I. Description

Analysis of the W32/Myparty malicious code indicates that it is a Windows binary spreading via an email
message with the following characteristics:

     SUBJECT: new photos from my party!

     BODY:
     Hello!

     My party... It was absolutely amazing!
     I have attached my web page with new photos!
     If you can please make color prints of my photos. Thanks!


     ATTACHMENT: www.myparty.yahoo.com

The attached file name containing the malicious code, www.myparty.yahoo.com, was carefully chosen to entice
the email recipient to open and (in most email clients) run the attachment. This social engineering exploits
the fact that .com is both an executable file extension in Windows and a top-level domain (TLD).

We have seen two variants of www.myparty.yahoo.com as follows:

Filename = www.myparty.yahoo.com
MD5 checksum = 43fc3f274372f548b7e6c14af45e0746
File size = 30172

Filename = www.myparty.yahoo.com
MD5 checksum = 221c47432e70b049fce07a6ca85ca7dd
File size = 29701

Both files take the same actions when executed:

   * the file msstask.exe is created in the current user's profile Startup folder (\Start
     Menu\Programs\Startup) and is immediately executed. It will also be executed every time the Windows user
     logs into the system.

     Filename = msstask.exe
     MD5 checksum = cda312b5364bbaddcd2c2bf3ceb4e6cd
     File size = 6144

   * on Windows 9x computers, a copy of www.myparty.yahoo.com is written to C:\Recycled\REGCTRL.EXE. On
     Windows NT computers, this copy is placed in either C:\REGCTRL.EXE or a newly created random directory
     in the C:\Recycled folder. This copy is subsequently executed.

   * an email message is sent to a predefined address with a subject line of the folder where the W32/Myparty
     malicious code was stored on the victim machine. When sending this message, W32/Myparty will use the
     SMTP statement HELO HOST when identifying itself to the SMTP server.

   * the current user's default SMTP server is retrieved from the following registry key:

          HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

   * the hard drive is scanned for Windows Address Book (.WAB) files and Outlook Express inboxes and folders
     (.DBX) in order to harvest email addresses.

   * copies of the malicious code are emailed to all the email addresses it could find.

Outside analysis indicates that this final step of mass mailing may be time-dependant. The code may only send
itself if the clock on the victim machine is set to January 25-29. It is the experience of the CERT/CC that
variants of malicious code often occur, so this time-trigger may not apply.

Other outside analysis also indicates that the default web browser may be launched to a particular URL under
certain circumstances.

II. Impact

W32/Myparty may cause the default web browser to run unexpectedly. Likewise, the victim and targeted sites
may experience an increased load on the mail server when the malicious code is propagating.

III. Solution

Run and maintain an anti-virus product

It is important for users to update their anti-virus software. Most anti-virus software vendors have released
updated information, tools, or virus databases to help detect and recover from W32/Myparty. A list of
vendor-specific anti-virus information can be found in Appendix A.

Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic
updates when available.

Exercise caution when opening attachments

Exercise caution when receiving email with attachments. Users should be suspicious of unexpected attachments
regardless of their origin. In general, users should also always scan files received through email with an
anti-virus product.

The following section of the "Home Network Security" document provides advice on handling email attachments
securely:

     http://www.cert.org/tech_tips/home_networks.html#IV-A-4

Filter the email or use a firewall

Sites can use email filtering techniques to delete messages containing subject lines known to contain the
malicious code, or they can filter all attachments.

Appendix A. - Vendor Information

Aladdin Knowledge Systems

     http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10102

Central Command, Inc.

     http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=020128-000003

Command Software Systems

     http://www.commandsoftware.com/virus/myparty.html

Computer Associates

     http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1323

F-Secure Corp

     http://www.datafellows.com/v-descs/myparty.shtml

McAfee

     http://vil.mcafee.com/dispVirus.asp?virus_k=99332&

Norman Data Defense Systems

     http://www.norman.com/virus_info/w32_myparty_a_mm.shtml

Panda Software

     http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet?
     operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirusFicha=W32/Myparty@MM

Proland Software

     http://www.pspl.com/virus_info/worms/myparty.htm

Sophos

     http://www.sophos.com/virusinfo/analyses/w32mypartya.html

Symantec

     http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.myparty@mm.html

Trend Micro

     http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYPARTY.A

You may wish to visit the CERT/CC's Computer Virus Resources Page located at:

     http://www.cert.org/other_sources/viruses.html

---------------------------------------
Authors: Roman Danyliw, Allen Householder
---------------------------------------
---------------------------------------
This document is available from: http://www.cert.org/incident_notes/IN-2002-01.html
---------------------------------------

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
     CERT Coordination Center
     Software Engineering Institute
     Carnegie Mellon University
     Pittsburgh PA 15213-3890
     U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on
call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

     http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

     http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please
include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

---------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on
an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
---------------------------------------
Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History

Jan 28, 2002: Initial release
Jan 29, 2002: Modified feedback link