- Subject: 'nother warning
- From: Margaret Davis <margd@FLASH.NET>
- Date: Tue, 29 Jan 2002 09:26:10 -0600
- Comments: RFC822 error: <W> Incorrect or incomplete address field found and ignored.
- Reply-to: Assessment Reform Network Mailing List <ARN-L@LISTS.CUA.EDU>
- Sender: Assessment Reform Network Mailing List <ARN-L@LISTS.CUA.EDU>
Have no idea if it's another hoax...but heads up anyway
FYI: PLEASE READ!!!
I just got this from Ira.
"Goldstein, Ira" wrote:
> -----Original Message-----
> From: Jones, Richard P.
> Sent: Monday, January 28, 2002 1:23 PM
> To: NTRC Alarm Supervisors; NTRC ALARMS; NTRC Modem Test; NTRC WAN
> Implementation; NTRC-BUS OPS; NTRC-SNMP; NTRC-SS; NTRC-TAC; NTRC-TRAFFIC;
> NTRC-WAN; NTRC-WAN
> Subject: W32/Myparty@MM virus -- !! BECAREFUL !!
> Please be careful a new virus is currently being circulated on the
> Internet and there is no defense as of this writing
> The bogus e-mail features the following message:
> " Hello!
> My party...It was absolutely amazing!
> I have attached my web page with new photos!
> If you can please make color prints of my photos. Thanks!"
> Here's MaAfee's explanation of the virus and its effects:
> When the W32/Myparty@MM virus <http://vil.nai.com/vil/content/v_99332.htm
> executable is executed on Windows NT machines, (Windows NT, 2000 or XP)
> this backdoor is dropped to the startup folder within the profile of the
> current user, MSSTASK.EXE:
> %userprofile%\Start Menu\Programs\Startup\msstask.exe
> This ensures the backdoor is executed upon system startup, at which point
> it goes memory resident, and the machine is rendered vulnerable.
> NB: W32/Myparty@MM only massmails itself and drops the backdoor component
> if the system date is within the following range:
> 25th - 29th January 2002 inclusive
> Outside of this date range, no backdoor component is dropped.
> MSSTASK.EXE is compressed with UPX, and is 6,144 bytes in length (unpacked
> the file is 152,064 bytes).
> Once running, the backdoor tries to connect to the following IP address:
> in order to download the command file that
> operates the backdoor.
> A second W32/Myparty@MM variant which only operates between 20th-24th
> January 2002 (hence will not replicate on machines with correctly set date
> now) drops an identical backdoor component to that described above. The
> only difference is the date range in which the backdoor is dropped.
> With Regards
> Nextiraone Email Group
If you're in control - you're going too slow
Post a Message to arn-l: