Be careful. Not all Web site links received via e-mail open real Web sites. In the case of MyParty (w32.myparty.a@mm,) the www.myparty.yahoo.com link is really an attached file that contains the worm. The worm--written in Microsoft Visual C++ and compressed via a UPX utility to 30KB in length--is capable of spreading, possibly slowing e-mail servers with excess traffic. On Windows NT, 2000, and XP systems, MyParty also installs a backdoor Trojan horse. Fortunately the worm's active dates are limited to January 25 through 29, 2002. Because of the rapid spread of this worm, MyParty ranks a 6 on the ZDNet Virus Meter.

How it works
MyParty arrives as e-mail. The subject line reads "new photos from my party!" The body text is "Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks!" The attached file seems to be a Web site named www.myparty.yahoo.com.

If the fake Web site link is opened, the worm copies itself to C:\Recycled\regctrl.exe. MyParty is thought to have been created in Russia; oddly, the worm checks to see if the Russian keyboard layout is present, and, if so, the will not launch on Russian-based computers. On all other PCs, MyParty sends a copy of itself to each address found in the Windows address book and in DBX files by bypassing Microsoft Outlook (if installed). MyParty uses the computer's default SMTP engine found at:

Hkey_current_user\Software\Microsoft\Internet Account Manager\Accounts\00000001

This worm is active only if the system date is between January 25 and 29, 2002.

In order for the worm's author to track its spread, MyParty also sends a message to a Russian e-mail address, napster@gala.net.

On systems with Windows NT, 2000, and XP, MyParty installs a backdoor Trojan horse, allowing a malicious user to gain control over an infected computer. MyParty adds msstask.exe to the Start Menu\Programs\Startup directory so that it will run the next time Windows starts up . The Trojan horse attempts to contact the address 209.151.250.170, which appears to be shut down.

Sometimes, MyParty also opens the infected computer's current Web browser to the www.disney.com Web site.

Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from MyParty. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include MyParty.

Removal
Most antivirus software companies have updated their signature files to include this worm. Installing the files stops the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, Kaspersky, McAfee, Norman, Sophos, Symantec, and Trend Micro.

[an error occurred while processing this directive]

[an error occurred while processing this directive]