Name: W32/MyLife-J Type: Win32 worm Date: 12 April 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description: W32/MyLife-J is a Win32 worm that copies itself to the Windows system folder as usa.scr and sh.scr and creates the following registry value so that the copy will be run on Windows startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Scr When first executed the worm will check to see if the file usa.scr exists in the system directory. If the file does exist and the time is between 9 a.m. and 10 a.m. the worm will delete all files from drive C:. If the copy of the worm does not exist then a window will be displayed with the title "SHARON", containing a caricature of an ox along with the text "wE * sAy *iT's* oX * tHeY * sAy * mIlK * iT * !!". The worm then sends itself to addresses from the Outlook address book, using an email with the following characteristics: Subject line: sexyy Screen Saver Message text: hi look at the screen saver it's very funny bye Attachment: usa.scr Read the analysis at http://www.sophos.com/virusinfo/analyses/w32mylifej.html