Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/MyParty.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Installs a backdoor on WinNT/2000/XP based systems.
Detection files published 27 Jan 2002 03:00:00
Description created 28 Jan 2002 12:10:00
Description updated 31 Jan 2002 05:18:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/MyParty.A@mm

Spreading

The attachment name resembles a web page URL, however the file is really a Win32 executable. The file is compressed with the compression utility UPX.When executed it will copy itself with the name REGCTRL.EXE to the C:\RECYCLED folder (or C:\ if run under NT) and attempt to send itself to users found in the Windows Address Book and DBX files (mail database files used by Outlook Express).

Payload Details

The worm installs a backdoor on Windows NT/2000/XP based systems. The file is called MSSTASK.EXE (not to be confused with MSTASK)and is located in the current user's startup folder:\Start Menu\Programs\Startup or \Documents and Settings\%USER%\Start Menu\Programs\Startup.

Analysis

n/a

Removal

The backdoor installed on WinNT/2000/XP can be removed by first using the Task Manager to kill the MSSTASK.EXE process in memory - be careful not to confuse the legal process MSTASK with the backdoor. After this the backdoor may be deleted from its hiding place in the startup directory.


Last Updated: 12 Nov 2015 11:06:14