Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Action
- Summary
- Action
- More Information
Please read the instructions for removing worms.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entry for each user who ran the virus. The removal of this entry is optional in Windows 95/98/Me.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\sys
and delete it if it exists.
Close the registry editor.
More Information
Note: W32/MyLife-F is currently detected using the IDE supplied for W32/MyLife-C. This worm has been reported widely in Australia.
W32/MyLife-F is a Win32 worm that copies itself to the Windows system directory as list480.txt.scr and sets the following registry key to run the copy on restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sys
When first run, the worm checks whether the file C:\Windows\System\List480.TXT.scr exists. If the file does not exist, the worm displays a message box with the title "Error" and the text "Error Notepad.dll ##".
The worm then sends itself to addresses from the Outlook address book, using an email with the following characteristics:
Subject line:
the list
Message body:
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
========No Viruse Found========
MCAFEE.COM
---------------------------------------------------
Attached file:
list480.txt.scr
If W32/MyLife-F finds that the file C:\Windows\System\List480.TXT.scr does exist, then the worm checks the time on the system clock. If the number of minutes is greater than or equal to 50, the worm attempts to format drives D: to I: and delete all files from drive C:. It then displays the message "My Life.C".
|
