MyLife variant viruses spawned over Easter
Published: 02 Apr 2002 14:01 BST
Four mutations of the destructive MyLife virus were released over the weekend, according to anti-virus companies.
Of the four, only one appears to be spreading widely. Email outsourcing company MessageLabs said it had stopped over 140 copies of MyLife.f on Tuesday morning -- about half of these appeared to originate from Australia, and many of the rest were from the UK. A small number were from Hong Kong, the company said.
MyLife.f is a variation on MyLife.b (w32.mylife.b@mm, also known as Caric.a), which was notable for its caricature of Bill Clinton playing a saxophone with a bra hanging out. This virus fixed bugs that plagued the original worm, MyLife.a (w32.mylife.a@mm), and besides emailing copies of itself to everyone included in the Windows address book, MyLife.b executed its file-destroying payload whenever an infected computer is rebooted in an hour divisible by 8, such as 8:00 or 16:00
"Over Easter we spotted that the MyLife author released versions C, D, E and F of MyLife," said Alex Shipp, senior antivirus technologist at Messagelabs. "We saw MyLife.f kick off in Australia this morning and now coming over here." Variant F, which has been spreading since the weekend, appears to be "pretty tame", said Shipp, as do variants D and E.
But MyLife.c carries a payload which, according to antivirus firm Symantec, could format drives and delete files, depending on the system time. Shipp said that Messagelabs had only stopped one copy of MyLife.f by Tuesday morning, and was still analysing it. "The jury's still out on whether it will actually activate as it is meant to," Shipp added.
All four new variants of MyLife share the same mass-mailing characteristics of the original, and email themselves itself to all email addresses in the Microsoft Outlook address book and the MSN Messenger contact list.
According to Symantec, MyLife.c arrives as the attachment List.TXT.scr, and is likely to activate itself when the system time minutes variable is greater than or equal to 50 and the worm has been run on the system at least once already. If it does activate, it is likely to try to format drives D, E, F, G, H and I, as well as deleting all files on the C: drive.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
40 out of 99 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
