copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2002.04 -- W32.MyLife.F@mm Worm

Date: 03 April 2002

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2002.04  --  AUSCERT ALERT
                            W32.MyLife.F@mm Worm
                                3 April 2002

===========================================================================

                            AusCERT Alert Summary
                            ---------------------

	AusCERT is aware of a new variant of the MyLife Worm:  MyLife.F.
	AusCERT has received reports of local activity and the risk of
	rapid propagation of this virus makes it imperative that members
	disseminate and take action on this information to prevent any
	undesirable activity by this virus within their sites.

	MyLife.F exhibits similar behaviour to previous variants,
	propagating via the Microsoft Outlook address book. The email has
	a subject line of "the list", and a body as follows:

		Hiiiii
		How are youuuuuuuu?
		look to the notepad it's vvvery verrrry ffffunny :-) :-)
		i promise you will love it :-)
		Notepad = list
		list = 37
		buyyyy
	
		========No Viruse Found========
                 	MCAFEE.COM
		--------------------------------------------------------
	
		Attachment: List480.TXT.scr


	After infection, the worm is executed during system startup with
	this registry key:

	HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion_Run
	"sys" = C:WINDOWSSYSTEMList480.TXT.scr

	Several major anti-virus software vendors have noted activity
	within Australia.

	More information is available from:

	http://vil.nai.com/vil/content/v_99429.htm
	http://www.f-secure.com/v-descs/mylife.shtml
	http://www.messagelabs.com/viruseye/

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AusCERT
Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPUeieih9+71yA2DNAQGfWwP+OE9A4kyjxS0vVMgf5dgGxDuMfOv5zviw
FxjbB0HmNndag7siyabZVx73adPxko0nNV+wxjFNLUB/Iqea6VtoS3PYA0uwsub4
GuwDCHHrALmDxrQ+V76w1tBWK8QrwQ+SuoE8xVLMyKsSnfYv6N++r1Nmg5UGc/CA
qEvPo+XsaPA=
=9Q1v
-----END PGP SIGNATURE-----