PSS Security Response Team Alert - Virus: MyLife.F and Variants
SEVERITY: MODERATE REACTIVE
DATE: 04/02/2002
PRODUCTS AFFECTED: Outlook, Outlook Express, Web-based E-mail Programs
**********************************************************************
WHAT IS IT?
MyLife.F is a simple variant of other MyLife strains but is able to evade filters specifically set to catch the other known Mylife attachments. Multiple variants, all based on the same basic pattern are being found. Microsoft is therefore advising our customers to be on watch for these variants and take the actions indicated to protect yourself from the various strains being developed. All MyLife strains have similar messages, attachment types and file sizes, as mentioned in previous MyLife.
IMPACT OF ATTACK:
Mass mailing, trojan delivery.
TECHNICAL DETAILS:
W32/MyLife-F is a Win32 worm which copies itself to the Windows system directory as list480.txt.scr and sets the following registry key to run the copy on restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sys
To make you think that the List.TXT.scr file did not work properly, the worm displays a message that has the following characteristics:
Title: Error
Text: Error Notepad.dll ##
PAYLOAD:
If the system time is greater than or equal to 50 minutes the worm displays a message that has the following characteristics:
Title: LoOoOoL
Text: My Life.C
And the worm attempts to delete all files on the C drive as well as to format the drives D, E, F, G, H and I
PROPAGATION:
It then sends itself to addresses from the Outlook address book, using an email with the following characteristics:
Subject line:
the list
Message body:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
DETECTION:
Look for e-mails, as described above, and files potentially created by MyLife variants in the Windows System directory. Look for the file List480.TXT.scr (7,680 bytes) in the Windows System directory. Also look for the Windows registry key created by the worm and the fake error message displayed upon the initial execution of the worm on a computer. If a mass-mailing has occurred, e-mails will be in the Sent Items folder containing the characteristics mentioned above.
PREVENTION:
For Outlook 98 and Outlook 2000 Pre SR1: Customers who have installed the Outlook Email Security Update are prevented from launching the .exe file associated with this virus.
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx
For Outlook 2000 Post SR1 and Outlook XP: Functionality to block the opening of .exe attachments is built into these products.
For Outlook Express Pre Version 6.0: Do not open files containing .exe attachments that you are not expecting.
For Outlook Express 6.0: You can turn on the Attachment handling features in Outlook Express 6 by reading this Knowledgebase Article
http://support.microsoft.com/default.aspx?scid=kb;en-us;291387
For Web Based Email Clients: You can block this virus if you are using an application level firewall such as Microsoft Internet Security and Acceleration Server.
http://www.microsoft.com/ISAServer/
RECOVERY:
Remove all files and the Windows registry key associated with MyLife variants and restore corrupted or damaged files with clean back-up copies. Restore any lost files and reinstall software as required.
If you have been infected with this virus, please contact Microsoft Product Support Services or your preferred antivirus vendor for assistance with removing it.
RELATED KB'S:
Available within 72 hours
http://www.microsoft.com/technet/security/bulletin/info/swdist.mspx
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
