W32/MyLife-C

Name: W32/MyLife-C
Type: Win32 worm
Date: 2 April 2002

Sophos has received several reports of this worm from the wild.


Description for W32/MyLife-C:

W32/MyLife-C is a Win32 worm which copies itself to the Windows
system directory as List.TXT.scr and sets the following registry
key to run the copy on restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

If List.TXT.scr is executed the worm displays the false error
message "Error Notepad.dll ##".

It then sends itself to addresses from the Outlook address book,
using an email with the following characteristics:

Subject line:
The List

Message body:
Hiiiii
How are youuuuuuuu?
Here is that Notepad you asked for ... don't show anyone else
;-)
Notepad = list
list = 137
buyyyy

========No Viruse Found========
MCAFEE.COM
--------------------------------------------------------

Attached file:
List.TXT.scr


Description for W32/MyLife-D:

W32/MyLife-D is a Win32 worm which copies itself to the Windows system directory as Screen.scr and sets the following registry key to run the copy on restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Screen

If Screen.scr is executed the worm displays a messagebox with the title "Error" and the text "Error 1452544 File Not Found".

It then sends itself to addresses from the Outlook address book, using an email with the following characteristics:

Subject line:
New Screen Saver

Message body:
Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buy

========No Viruse Found========
* * * * * * * * MCAFEE.COM

Attached file:
Screen.scr


Description for W32/MyLife-E:

W32/MyLife-E is a Win32 worm which copies itself to the Windows system directory as Screen.scr and sets the following registry key to run the copy on restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

If Screen.scr is executed the worm displays the false error message "Error 1452544 File Not Found".

It then sends itself to addresses from the Outlook address book, using an email with the following characteristics:

Subject line:
sexxxyyy Screen Saver

or

New Screen Saver

Message body:
Hiii
How are youu!!?
look to the New Screen Saver it's vvvery verrrry ffffunny :-) :-)
i promise you will love it? ok
buyyyy

========No Viruse Found========
* * * * * * * * MCAFEE.COM

or

New Never Hood Buy

Attached file:
Screen.scr


Description for W32/MyLife-F:

W32/MyLife-F is a Win32 worm which copies itself to the Windows system directory as list480.txt.scr and sets the following registry key to run the copy on restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sys

The worm displays a messagebox with the title "Error" and the text "Error Notepad.dll ##".

It then sends itself to addresses from the Outlook address book, using an email with the following characteristics:

Subject line:
the list

Message body:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy

========No Viruse Found========
* * * * * * * * MCAFEE.COM
--------------------------------------------------------

Attached file:
list480.txt.scr


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32mylifec.html