W32.Mypics.Worm


Aliases: W32/MyPics, BAT_MYPICS, W32/Mypics.bat 
Variants: Email-Worm.Win32.MyPics.a, I-Worm.MyPics.a, Win32/MyPics.A 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Asia, North and Sout America, Australia, Europe
Removal: Hard
Platform: W32
Discovered: 02 Dec 1999
Damage: High

Characteristics: This malware automatically spreads on Windows NT and 9x operating systems via email and implements a vicious payload that will commence in the year 2000. The W32.Mypics.Worm spreads by sending its code to contacts found in the Microsoft Outlook address book. The email will have an empty subject and the body will contain a message stating ‘Here’s some pictures for you’. It will also have an attachment saved in the .exe extension.

More details about W32.Mypics.Worm

The W32.Mypics.Worm will try to tick recipients that the email attachment has images. When launched, the attachment will not show any signs of launching and will seem to have terminated. However, the worm will stay resident in the system memory and will then propagate by emailing up to 50 people. It will likewise hijack the current home page of the Microsoft Internet Explorer browser and redirect it to an adult website. It will modify the Windows registry entries as well so that the malware is loaded in memory each time that the compromised system is started. This action makes the worm memory resident. This worm allegedly has 2 payloads that will create a Y2K problem. First, this security threat will monitor the system’s clock and when it has validated that that the year is set to 2000, the worm will then alter the system BIOS.

Furthermore, on the system’s succeeding cold reboot, the system will exhibit a message that states ‘CMOS Checksum Invalid’ and will hinder the system from booting. This however can be easily fixed by configuring the BIOS setup. Next, when the BIOS configuration has been restored, the W32.Mypics.Worm will launch its 2nd payload and will begin formatting the hard drive. It is critical to note that the worm is written in Visual Basic. This makes the worm dependent on a specific runtime library file for its execution.