W32/Myparty@MM Virus - U-M Virus Busters

The W32/Myparty@MM Virus: Email to Avoid

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)
Last significant update: 28 January 2002

This information can be freely reproduced in any medium, as long as the information is unmodified.

The virus described below only infectes Windows platforms; it cannot infect Macintosh computers. Mac (and other non-Windows) users can expect to see lots of infected email in their mailboxes, however.

UPDATE: A new version of the interim drivers were released at around 10:45 today; they are on-line below.

Occasionally, a "mass mailer" gets lucky, and spreads even here at U-M, where we usually don't see many virus outbreaks. In this case, we first started seeing email at about 20:00 on 27 January, 2002, that looked like this:

   Subject: new photos from my party! 

   Hello! 

   My party... It was absolutely amazing! 
   I have attached my web page with new photos! 
   If you can please make color prints of my photos. Thanks!

The email contains a UUENCODEd file named www.myparty.yahoo.com (29696 bytes, when uudecoded). It requires user help to activate -- but some insecure emailers make it easier for this to occur: the fact that the file has a name that looks like a URL makes it easier for someone to double-click on the "link", by mistake.

It bears repeating, as we have done so many times before:

NEVER ACCEPT UNSOLICITED ATTACHMENTS, not even from those you know and trust.

We contacted our antivirus provider immediately and they responded quickly, even on a Sunday evening. By 01:16 on 28 January, "extra" virus definitions were available to handle this new threat. Users can download the SuperDAT version of this by clicking here; just save to the desktop, then double-click on the SDAT99332a.exe file to install.

Note that this will not change the version of the VirusScan virus definitions reported when one right-clicks the VShield icon and selects <About>

We expect to have normal virus definitions for Myparty soon -- perhaps before the start of the business day on 28 January, and definitely in the 4184 virus definitons due for release no later than Wednesday, 30 January. That means that U-M folks who use VirusScan 4.5.1 will be protected automatically within an hour of the time we make the antivirus definitions available here at U-M.

For more information about this virus, see e.g., <http://vil.nai.com/vil/content/v_99332.htm> (leaving our site)

More details as they become available.

If you receive infected email, you should

Just delete the email, or
Forward a copy to us, with full email headers, so that we can notify the victim or
Reply to the sender informing the sender that s/he is infected. For this particular virus, I suggest that you provide the victim with a pointer to this URL (http://www.umich.edu/~virus-busters/myparty.html)

In any event, don't open the email attachment!

If by some sad circumstance you do have the misfortune of opening the attachment, contact your antivirus support personnel for assistance. [For U-M folks, that would be us.]

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

-BPB

Last updated: Monday, 28-Jan-2002 13:17:14 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 28 January 2002 00:52 EST