ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > Resources > Articles > Tutorials

Security management Toolkit

Sax-playing Bill Clinton MyLife.b worm could delete your Windows files

Robert Vamosi CNet

Published: 22 Mar 2002 19:14 GMT

There's something to be said about persistence, except when it comes to virus writing. MyLife.b (w32.mylife.b@mm, also known as Caric.a) fixes bugs that plagued the original worm, MyLife.a (w32.mylife.a@mm). Besides emailing copies of itself to everyone included in the Windows address book, the new version includes a caricature of Bill Clinton playing a saxophone with a bra hanging out. It also executes its file-destroying payload whenever an infected computer is rebooted in an hour divisible by 8, such as 8:00 or 16:00. Because of its destructiveness and ability to send mass email, MyLife.b ranks as a 7/10 on the ZDNet Virus Meter.

How it works
MyLife.B arrives as email with the subject line "bill caricature." The body text reads as follows:

Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry
ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
MCAFEE.COM
The attached file is cari.scr.

If a user opens the attached file, MyLife will display a caricature of Bill Clinton playing a saxophone with a bra hanging out of it. The worm will then modify the system registry to run at start-up by altering this setting:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "win" = "%SysDir%\cari.scr"

MyLife.b will attempt to email copies of itself to everyone listed in the Windows address book. Upon rebooting the computer, the worm will delete files with the SYS extension in the Windows directory, and VXD, SYS, OCX, and NLS extensions in the Windows System directory. It will also try to delete all files in the C:, D:, E:, and F: drives, if they exist. The file deletions work only if the current hour in the system is divisable by 8.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached SCR file in MyLife.b. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in email without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include MyLife.b.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec and Trend Micro.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Did you find this article useful?
13 out of 24 people found this useful

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Install Flash Player Plugin

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.