Computing News
A P R I L 2 0 0 2

Computing News

Computing News
Back Issues

Computer Security

Computing Infrastructure Support (CIS)

CIS Services

Computing Standards

Software Downloads

CIS Computer
Help Desk

CIS Help
Request Form

Unix Services
ISS
IMAP4
Calendaring


   
Monthly Virus Alert: Mylife Virus Proving to Be Deadly to Unprotected PCs
 
Last month the LBNL VirusWall caught the Klez worm the most, followed by Sircam, then PE_Magistr (all of which should be familiar names by now). So what is new? For one thing, numerous variants of the Mylife worm (W32.Mylife@mm) have surfaced during the last month. Recall from last month's Computing News that Mylife is a mail-based Windows worm that, if executed, sends itself to all addresses in the Microsoft Outlook address book in every computer it infects. But instead of trying to delete files with certain extensions, many new versions attempt to erase the entire C: drive of an infected PC.

The result is destruction of the victim system. Subject lines of infected messages will vary; attachments almost invariably end with .scr. As in the case of the original version of Mylife, all you need to do to infect your system is to open the attachment. If your system becomes infected, you'll be able to tell because your system will become unstable or may not work at all. If your system displays these symptoms, it is best to leave your system alone and call the LBNL Help Desk at H-E-L-P (X4357).

But Mylife is not the only worm that is making its way around the Internet. W32.Aplore@mm (also known as a variety of other names that include "Aphex" and "Aplore") is a new Windows worm that attempts to reproduce itself via email, chat rooms and AOL Instant Messenger (AIM). It sends a message with an attachment, Psecure20x-cgi-install.version.6.01.bin.hx.com, to every addresses in the Microsoft Outlook address book. When connected to IRC or AIM, the worm sends a URL to chat channels or AIM buddies that references an .html file that has been downloaded to the victim system. This file appears to be a Web page that asks the user to run the malicious executable. Fortunately, Aplore does little damage.

The Hunch worm (also known as the Bloodhound worm), W32.Hunch.C@mm is another mail-based Windows worm. It changes the autoexec.bat file in every system it infects such that when the system is rebooted, the C: drive will be erased. It also erases all files with .dll, ocx, and .sys extensions in the C:\_RESTORE folder as well as other files. As in the case of Mylife, system instability or inoperability are symptoms of a Hunch worm infection.

So--here is the multiple choice virus/worm question of the month:

The LBNL Computer Protection Program strongly recommends that if you receive a message from an unfamiliar source, you should:

  1. Open the message immediately, because if the message is infected, it may not have time to spread before you realize it contains a worm, and you may be able to delete it first.
  2. Open the message slowly and cautiously, because caution generally is the best course of action when it comes to computer security.
  3. Disable your anti-virus program, because it could possibly be destroyed if the message contains a destructive virus or worm.
  4. Refrain altogether from opening the message.

If you are not sure of the answer, send email to eeschultz@lbl.gov.

--By Gene Schultz, Computer Protection Program
Top | Return to Computing News