Related Resources • MyLife.A Worm • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • MessageLabs ThreatList

A new version of the MyLife.A worm was discovered on on the evening of March 21st. Spreading via email, MyLife.B a.k.a. Caric worm, arrives in an email as follows:

Subject: bill caricature
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry
ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
MCAFEE.COM
----------------------------

Note that the email message attempts to legitimize the attachment by including a bogus "No Viruse Found" message erroneously credited to 'MCAFEE.COM'.

The email carries an attachment named CARI.SCR which, when opened, first displays a picture

and then copies itself as CARI.SCR to the Windows\System folder on 9x and to Windows\System32 on NT/2000 and adds a startup key for its file to the Registry.

The worm then mass-mails itself to all addresses found in the Windows address book and the MSN Messenger database.

MyLife.B includes a malicious payload. When the system clock is at 8 o'clock, the worm will delete all *.sys files found in the Windows directory and all *.nls, *.ocx, *.sys, and *.vxd files found in the Windows\System directory. It will also attempt to delete all files from the root of drives C:\, D:\, E:\, and F:\.

Removing the worm
Edit the registry, removing the value ""win" = "%SysDir%\cari.scr" (where %SysDir% is the appropriate system folder) from the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Delete the "cari.scr" file from the appropriate Windows System folder.

Subscribe to the Newsletter
Name	Email