[email protected]

Aliases: W32/[email protected]
Variants: Email-Worm.Win32.Myparty.b, I-Worm.Myparty.b, W32/[email protected], Win32.HLLM.MyParty.2 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 26 Jan 2002
Damage: Low

Characteristics: The [email protected] is a mass mailing worm that is able to propagate itself on dates between the 25th and 29th of January 2002. This worm will however remain active on the compromised machine even after the said date has passed. This worm will send email messages to all contacts it can gather in the address book of Windows and the contact list, inbox and folders of Outlook Express.

More details about [email protected]

When the W32.Myparty2mm worm is launched, its first action is to check the system date. If the date is not between the 25th and 29th of January 2002 or if the keyboard configuration is not set to Russian, the malware will copy itself to the Recycled folder and then exit. Otherwise, the worm will carry on with its routine. The worm will then refer to its filename and if it is ‘Access’ the worm will try to open the web browser to a Disney site and then exit. If the worm has a .com extension, it will copy itself to one of 2 predetermined locations in the machine and then launch an .exe file. On the other hand, if the worm’s filename has the .exe file extension, it will commence its spreading routine. It will search for addresses in the Windows address book and Outlook Express and then send itself to the obtained addresses using its simple mail transfer protocol (SMTP) engine. It will however use the default address of the system’s SMTP server.

On systems under the operating systems Windows 2000, NT and XP, the worm will create a backdoor Trojan to aid the worm to execute upon Windows startup. This backdoor Trojan is the Backdoor.Myparty and it can contact a webpage that will permit the worm’s remote master to access the victim machine. The actions that will be performed by the Trojan will depend on the webpage’s contents. The worm then sends a message to its master so that it can be tracked by its master. The [email protected] worm’s active process will be seen as a smiley face symbol in the Windows Task Manager.