W32/MyLife-G

Name: W32/MyLife-G
Type: Win32 worm
Date: 12 April 2002

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers.

Description:

W32/MyLife-G is a Win32 worm which copies itself to the Windows
system directory as ox&Wife.scr and sets the following registry
value to run the copy on restart:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OX

When first executed the worm will check to see if the file
ox&Wife.scr exists in the system directory. If the file does
exist then a message box will be displayed with the title
"KiLlLlLl aNd KiLlLlLl" and the message text "KiLlLlLl sHaRoN
bY: mY lIfE 1-oVeR wRiTe 30 <==> eXtEnSiOn 2-dElEte aLl fOlDeRs
(C to I) 3-LoOOoOOoL." The worm will then attempt to delete the
contents of drives C: to I:.

If the copy of the worm does not exist a window will be
displayed with the title "SHARON", containing a caricature of an
ox along with the text "wE*sAy*iT's*oX*tHeY*sAy*mIlK*iT*!!".

The worm then sends itself to addresses from the Outlook address
book, using an email with the following characteristics:

Subject line:
ox <--> sharon

Message body:
Hi All
look to the ox caricature it's very sad
ox <===> sharon
it's funny
bye
Attachments are automatically scanned for viruses using
MCAFEE.COM
========No Viruse Found========

Attached file:
ox&Wife.scr


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32mylifeg.html