Skip to main content

Not Everything Starting with "www" and Ending in ".com" Is a Web Site

January 28, 2002

The Internet worm "Myparty" poses as a Web-site link

Kaspersky Lab, an international data-security software developer, announces the detection of a new Internet worm going by the name of Myparty that spreads via e-mail. At this time, several incidents of infection by this malicious code have already been reported.

The worm appears on a target computer as a file attached to an e-mail message. The file is a Windows application about 30Kb in length, it is written in Microsoft Visual C++, and is compressed in a UPX utility.

An infected message appears as follows:

As is apparent, the file carrier purposely poses as a Web-site address. A user's trust is taken into account so that when double-clicking on the enclosure, the said user ends up at some Internet address. However, what actually occurs is that a malicious program is activated upon enclosure opening.

"This is definitely a new technique for manipulating a user that is uniquely employed by 'Myparty' to have already caused a series of infections. The rest of the program is a classic Internet worm that is not differentiated from hundreds of similarly created Internet worms," commented Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "This occurrence once again confirms that not everything beginning with 'www' and ending in '.com' is a Web site."

If the system date on a computer is 25-29 of January 2002, Myparty launches its installation and spreading routines. In addition to this, the worm checks for the presence of Russian-language support and if this is detected, the worm finishes its operation and exits a system.

In order to maintain its presence in the memory, upon each infected-computer start-up, the worm creates its copy in different disk directories and registers them in the Windows system registry of the program auto-start section.

In order to send its copies via e-mail, the worm scans the Windows Address Book and DBX (also used in Outlook Express) databases and checks these with all found addresses. Following this, the worm installs a direct connection with a remote SMTP server and imperceptibly, supposedly in the name of the infected computer's user, sends its copies to these addresses. In order to confirm an infection, the worm also sends a blank e-mail to the napster@gala.net address.

Myparty has some dangerous side effects. On computers with Windows NT/2000/XP, the worm installs a spy program for remote unauthorized control. In this way, a malefactor can gain total control over a victim's computer.

In addition to this, depending on a number of conditions, Myparty opens the http://www.disney.com Web site in the current Internet browser window.

Defense procedures thwarting Myparty have already been added to the Kaspersky Anti-Virus database.

A more detailed description of this Internet worm can be found in the Kaspersky Virus Encyclopedia.

Not Everything Starting with "www" and Ending in ".com" Is a Web Site

The Internet worm "Myparty" poses as a Web-site link
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases

Kaspersky recently analyzed what digital superstitions Internet users in the META region believe in nowadays and investigated whether there are grounds for these beliefs.
Read More