sounds like:
Symantec Security
Response
http://securityresponse.symantec.com
W32.MyLife@mm
Discovered on: March 7, 2002
Last Updated on: April 2, 2002 at 09:31:12 PM PST
Due to an increased number of submissions, Symantec Security Response
is upgrading
W32.MyLife@mm to a Category 3.
W32.MyLife@mm is a simple mass-mailer that sends itself to all
contacts in the Microsoft Outlook
address book. The worm is a compiled Visual Basic executable that has
been compressed. It attempts
to delete files that have the extensions .com, .sys, .ini, .exe, .sys,
.vxd, .exe, or .dll. (This could not be
reproduced in a controlled test environment.)
Type: Worm
Infection Length: 30,720 bytes
Virus Definitions (Intelligent Updater): March 8, 2002
Virus Definitions (LiveUpdateTM): March 8, 2002
Threat Assessment:
Wild:
Medium
Damage:
Medium
Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Damage:
Payload: Mass Mails itself to all recipients in the Outlook
Address Book and could delete files
with extensions, .com .sys .ini .exe .sys .vxd .exe .dll
Large scale e-mailing: Mass Mails itself to all recipients
in the Outlook Address Book
Deletes files: could delete files with extensions, .com .sys
.ini .exe .sys .vxd .exe .dll
Distribution:
Subject of email: my life ohhhhhhhhhhhhh
Name of attachment: My Life.scr
Size of attachment: 30,720 bytes
Technical description:
If W32.MyLife@mm is executed, it does the following:
It sends itself to all contacts in the Microsoft Outlook address
book.The email has the following
characteristics:
Subject: my life ohhhhhhhhhhhhh
Message:
Hiiiii
How are youuuuuuuu? look to the digital picture it's my love
vvvery verrrry ffffunny :-)
my life = my car
my car = my house
Attachment: My Life.scr
It copies itself to C:\Windows\System\My Life.scr.
It adds the value
stmgr C:\WINDOWS\SYSTEM\My Life.scr
to the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Upon execution it also displays the following picture:
Finally, it attempts to delete files that have the extensions .com,
.sys, .ini, .exe, .sys, .vxd, .exe, or .dll.
(This could not be reproduced in a controlled test environment.)
Removal instructions:
The preferred way to remove this worm is to use the W32.Mylife Removal
Tool. If for any reason you
cannot obtain the tool, you must remove the worm manually.
Manual removal
Delete files detected as W32.MyLife@mm and remove the value that it
added to the registry.
To remove the worm:
1. Obtain the most recent virus definitions. There are two ways
to do this:
Run LiveUpdate. LiveUpdate is the easiest way to obtain
virus definitions. These virus
definitions have undergone full quality assurance testing by
Symantec Security Response
and are posted to the LiveUpdate servers one time each week
(usually Wednesdays)
unless there is a major virus outbreak. To determine whether
definitions for this threat are
available by LiveUpdate, look at the Virus Definitions
(LiveUpdate) line at the top of this
write-up.
Download the definitions using the Intelligent Updater.
Intelligent Updater virus definitions
have undergone full quality assurance testing by Symantec
Security Response. They are
posted on U.S. business days (Monday through Friday). They
must be downloaded from
the Symantec Security Response Web site and installed
manually. To determine whether
definitions for this threat are available by the Intelligent
Updater, look at the Virus
Definitions (Intelligent Updater) line at the top of this
write-up.
Intelligent Updater virus definitions are available here.
For detailed instructions on how to
download and install the Intelligent Updater virus
definitions from the Symantec Security
Response Web site, click here.
2. Start Norton AntiVirus (NAV), and make sure that NAV is
configured to scan all files. For
instructions on how to do this, read the document How to
configure Norton AntiVirus to scan all
files.
3. Run a full system scan.
4. Delete all files that are detected as W32.MyLife@mm.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry before
you make any changes to
it. Incorrect changes to the registry can result in permanent data
loss or corrupted files. Modify only
the keys that are specified. Read the document How to back up the
Windows registry for
instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following value:
stmgr C:\WINDOWS\SYSTEM\My Life.scr
5. Click Registry, and click Exit.
Write-up by: Douglas Knowles
(from
http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.mylife@
mm.html)
― Queen G, Saturday, 6 April 2002 00:00 (twenty-three years ago)