|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Sax-playing Clinton worm stages attack By Robert Vamosi, 0 March 25, 2002 URL: http://www.zdnet.com.au/news/security/soa/Sax-playing-Clinton-worm-stages-attack/0,130061744,120264220,00.htm
Yet another celebrity is being used as the figurehead for e-mail viruses. This time, Bill Clinton takes centre stage as the star of a variant of the MyLife worm. There's something to be said about persistence, except when it comes to virus writing. MyLife.b (w32.mylife.b@mm, also known as Caric.a) fixes bugs that plagued the original worm, MyLife.a (w32.mylife.a@mm). Besides e-mailing copies of itself to everyone included in the Windows address book, the new version includes a caricature of Bill Clinton playing a saxophone with a bra hanging out. It also executes its file-destroying payload whenever an infected computer is rebooted in an hour divisible by 8, such as 8:00 or 16:00.
How it works MyLife.B arrives as e-mail with the subject line "bill caricature." The body text reads as follows:
Hiiiii The attached file is cari.scr. If a user opens the attached file, MyLife will display a caricature of Bill Clinton playing a saxophone with a bra hanging out of it. The worm will then modify the system registry to run at star-tup by altering this setting:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] "win"MyLife.b will attempt to e-mail copies of itself to everyone listed in the Windows address book. Upon rebooting the computer, the worm will delete files with the SYS extension in the Windows directory, and VXD, SYS, OCX, and NLS extensions in the Windows System directory. It will also try to delete all files in the C:, D:, E:, and F: drives, if they exist. The file deletions work only if the current hour in the system is divisable by 8. Prevention Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached SCR file in MyLife.b. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include MyLife.b. Removal A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
