A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center
|
MyBabyPic virus
According to F-Secure and Kasperky Labs MyBabyPic exhibits the following characteristics:
Type: Internet worm
Subject: My baby pic !!!
The worm copies itself into the Windows system directory with the names:
WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, COMMAND.EXE
and registers itself in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
The worm also creates the registry key:
where %number% is a number from 0 to 3 and depends on the process the worm is currently performing or done: installing, spreading, activating its payload routine.
F-Secure and Kaspersky describe the payload routine as being quite large. Depending on the system date and time the worm:
- switches on/off NumLock, CapLock and ScrollLock keys - sends to keyboard buffer the message:
.IM_BESIDES_YOU_
- connects the www.youvebeenhack.com site and sends one of texts there:
The worm also corrupts and/or affects other files. It scans subdirectory trees on all available drives, lists all files there and depending on filename extension performs actions:
VBS, VBE: the worm destroys these files contents.
JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H: the worm creates a new file with original filename plus ".EXE" extension and copies its body to there, and then deletes original file, i.e. the worm overwrites these files with its code and renames them with EXE extension. For example, "TEST.CPP" becowes "TEST.EXE".
JPG, JPEG: the worm does the same as above, but adds ".EXE" extension to full file name (does not rename to ".EXE"). For example, "PIC1.JPG" becomes "PIC1.JPG.EXE".
MP2, MP3, M3U: the worm creates a new file with ".EXE" extension (for "SONG.MP2" the worm creates the "SONG.MP2.EXE" file), writes its code to there and sets the file attribute "hidden" for the original file.
Aliases: W32/Babypic@mm, TROJ_Mybabypic.A MYBABYPIC.EXE, I-Worm.Myba, Myba, or W32/Myba-A
Systems Affected: Windows 32-bit systems
Payload: May cause unrecoverable file damage.
ITW: Yes
Origin:
Description:MyBabyPic is a Visual Basic worm sharing many similarities with the Loveletter worm. The virus is spread by sending infected messages from affected computers running Microsoft® Outlook. The worm is usually received as follows:
Message text: Its my animated baby picture !!
Attachment name: mybabypic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe
HKCU\Software\Bugger
Default = HACK[2K]
>br>mailed = %number%
FROM BUGGER
HAPPY VALENTINES DAY FROM BUGGER
HAPPY HALLOWEEN FROM BUGGER
