Mybabypic
Mybabypic
Type Mass mailer worm
Creator Bugger?
Date Discovered 26-FEB-2001
Place of Origin
Source Language Visual Basic
Platform Microsoft Windows
File Types .exe
Infection Length 53,760 bytes
Reported Costs

Mybabypic, also known as Myba, is a worm from 2001. It appears to be a compiled version of the Loveletter worm. It damages, corrupts, and destroys files in addition to showing an obscene picture.

Behavior

Mybabypic arrives in an email with a subject line of "My baby pic !!!". The message body is "Its my animated baby picture !!" and the attachment is "mybabypic.exe".

When executed, the worm creates several copies of itself in the system folder, WINKERNEL32.EXE, MYBABYPIC.EXE, WIN32DLL.EXE, CMD.EXE, and COMMAND.EXE. It then registers ther following registry key/value combinations, ensuring the worm starts up when the system starts:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe

IT also creates the key "HKCU\Software\Bugger 'Default = HACK[2K]', 'mailed = %number%'" where %number% is a number from 0 to 3 that depends on the process the worm is currently performing or done: installing, spreading, or activating its payload routine. Mybabypic sends itself to all contacts in the user's Outlook Address book.

Payload

Some of its payload depends on the time of year. It switches the NumLock, CapLock, and ScrollLock keys and sends the message ".IM_BESIDES_YOU_" to the keyboard buffer. It then sends one of the folling texts to the site www.youvebeenhack.com: "FROM BUGGER", "HAPPY VALENTINES DAY FROM BUGGER", or "HAPPY HALLOWEEN FROM BUGGER"

When the system restarts, it will display an animated image of a baby with an adult penis.

It then starts work on certain types of files, searching all drives. It destroys the contents of VBS and VBE files. For source code files JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, and H, the worm creates a new file with original filename with an .exe extension, then copies its body to there, and deletes original file. For example, a C++ source file is renamed from Program.cpp to Program.exe with Mybabypic binary code placed in it. For .jpg and .jpeg files, it does something similar, the main difference being it adds the .exe extension onto the existing one, so image.jpeg becomes image.jpeg.exe. For music files .mp2, .mp3, and .m3u, it creates a new file with the same name plus an .exe extension (ie. music.mp3 gets a file named music.mp3.exe) and then sets a hidden attribute for the original file.

Origin

Mybabypic appears to be a compiled and slightly modified version of the Loveletter worm written in Visual Basic. Little about its location can be found, though McAfee suspects sonewhere in Asia. Two copies came from the Phillipines, the origin place of the original Loveletter worm. It is unknown if "Bugger" was the actual handle of the creator as it has not been seen before or again.

Effects

Though it had the potential to do a great deal of damage, Mybabypic was not too widespread. Antivirus product vendors reported receiving very few submissions of the worm. MessageLabs says it received two copies, both originating from the Phillipines.

Sources

F-Secure, MyBabyPic.

McAfee Antivirus, W32/Myba@mm. 27-FEB-2001

Cary Ng and Andy Cianciotto, Symantec Security Response, W32.Mybabypic.Worm 26-FRB-2001

John, Leyden. The Register, Internet vandals create new Love Bug variant. 28-FEB-2001

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License