Mybabypic | |
---|---|
Type | Mass mailer worm |
Creator | Bugger? |
Date Discovered | 26-FEB-2001 |
Place of Origin | |
Source Language | Visual Basic |
Platform | Microsoft Windows |
File Types | .exe |
Infection Length | 53,760 bytes |
Reported Costs |
Mybabypic, also known as Myba, is a worm from 2001. It appears to be a compiled version of the Loveletter worm. It damages, corrupts, and destroys files in addition to showing an obscene picture.
Behavior
Mybabypic arrives in an email with a subject line of "My baby pic !!!". The message body is "Its my animated baby picture !!" and the attachment is "mybabypic.exe".
When executed, the worm creates several copies of itself in the system folder, WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, and COMMAND.EXE. It then registers ther following registry key/value combinations, ensuring the worm starts up when the system starts:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe
IT also creates the key "HKCU\Software\Bugger 'Default = HACK[2K]', 'mailed = %number%'" where %number% is a number from 0 to 3 that depends on the process the worm is currently performing or done: installing, spreading, or activating its payload routine. Mybabypic sends itself to all contacts in the user's Outlook Address book.
Payload
Some of its payload depends on the time of year. It switches the NumLock, CapLock, and ScrollLock keys and sends the message ".IM_BESIDES_YOU_" to the keyboard buffer. It then sends one of the folling texts to the site www.youvebeenhack.com: "FROM BUGGER", "HAPPY VALENTINES DAY FROM BUGGER", or "HAPPY HALLOWEEN FROM BUGGER"
When the system restarts, it will display an animated image of a baby with an adult penis.
It then starts work on certain types of files, searching all drives. It destroys the contents of VBS and VBE files. For source code files JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, and H, the worm creates a new file with original filename with an .exe extension, then copies its body to there, and deletes original file. For example, a C++ source file is renamed from Program.cpp to Program.exe with Mybabypic binary code placed in it. For .jpg and .jpeg files, it does something similar, the main difference being it adds the .exe extension onto the existing one, so image.jpeg becomes image.jpeg.exe. For music files .mp2, .mp3, and .m3u, it creates a new file with the same name plus an .exe extension (ie. music.mp3 gets a file named music.mp3.exe) and then sets a hidden attribute for the original file.
Origin
Mybabypic appears to be a compiled and slightly modified version of the Loveletter worm written in Visual Basic. Little about its location can be found, though McAfee suspects sonewhere in Asia. Two copies came from the Phillipines, the origin place of the original Loveletter worm. It is unknown if "Bugger" was the actual handle of the creator as it has not been seen before or again.
Effects
Though it had the potential to do a great deal of damage, Mybabypic was not too widespread. Antivirus product vendors reported receiving very few submissions of the worm. MessageLabs says it received two copies, both originating from the Phillipines.
Sources
F-Secure, MyBabyPic.
McAfee Antivirus, W32/Myba@mm. 27-FEB-2001
Cary Ng and Andy Cianciotto, Symantec Security Response, W32.Mybabypic.Worm 26-FRB-2001
John, Leyden. The Register, Internet vandals create new Love Bug variant. 28-FEB-2001