Access Services Software Help Center Policies Jobs
rss XML news file



BOL Webmail

© Bruin OnLine

01/28/01: Myparty Virus Warning

Many UCLA Bruin OnLine account holders have been receiving e-mails with the Myparty virus. This mass-mailing worm drops a BackDoor trojan on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:

Subject: new photos from my party!
Body: Hello!

My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!

Attachment: www.myparty.yahoo.com (29,696 byte PE file)

The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine.

On Windows9x/ME

  • If the date is between January 25-29, 2002, the virus copies itself to C:\Recycled\regctrl.exe and executes that file.

On WinNT/2K/XP

  • If the date is not between January 25-29, 2002, the worm copies itself to C:\Recycled as F-[random number]-[random number]-[random number] with no extension
  • If the date is between January 25-29, 2002, the worm copies itself to C:\regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website.

This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002. The users default SMTP server is retrieved from the registry.

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\00000001

The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.

If you have received the above and have opened the attachment on a Windows computer without first having updated your DAT files, then your computer has been infected.

Bruin OnLine users should have McAfee VirusScan 4.5.1 installed on their computers and will need to update their DAT files to version at least 4184 (virus definition files). If you do not have McAfee ViruScan installed on your computer, please visit the Bruin OnLine Windows Software download page at:

http://www.bol.ucla.edu/software/win/

You will need to manually download the EXTRA.DAT file from the Mcafee website to remove this virus. Please visit the following URL for removal instructions:

http://vil.mcafee.com/dispVirus.asp?virus_k=99332

Mcafee will have an autoupdate DAT file, version 4184, available in the new few days.

If you have any questions, please call the BOL Help Desk at (310) 825-7452, Option 1.