W32/MyLife-G

Discussion in 'malware problems & news' started by FanJ, Apr 12, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/MyLife-G
    Type: Win32 worm
    Date: 12 April 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    W32/MyLife-G is a Win32 worm which copies itself to the Windows
    system directory as ox&Wife.scr and sets the following registry
    value to run the copy on restart:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OX

    When first executed the worm will check to see if the file
    ox&Wife.scr exists in the system directory. If the file does
    exist then a message box will be displayed with the title
    "KiLlLlLl aNd KiLlLlLl" and the message text "KiLlLlLl sHaRoN
    bY: mY lIfE 1-oVeR wRiTe 30 <==> eXtEnSiOn 2-dElEte aLl fOlDeRs
    (C to I) 3-LoOOoOOoL." The worm will then attempt to delete the
    contents of drives C: to I:.

    If the copy of the worm does not exist a window will be
    displayed with the title "SHARON", containing a caricature of an
    ox along with the text "wE*sAy*iT's*oX*tHeY*sAy*mIlK*iT*!!".

    The worm then sends itself to addresses from the Outlook address
    book, using an email with the following characteristics:

    Subject line:
    ox <--> sharon

    Message body:
    Hi All
    look to the ox caricature it's very sad
    ox <===> sharon
    it's funny :)
    bye
    Attachments are automatically scanned for viruses using
    MCAFEE.COM
    ========No Viruse Found========

    Attached file:
    ox&Wife.scr


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32mylifeg.html
     
Thread Status:
Not open for further replies.