| Mylife | |
|---|---|
| Type | Mass mailer worm |
| Creator | |
| Date Discovered | 2002.03.07 |
| Place of Origin | |
| Source Language | |
| Platform | MS Windows |
| Infection Length | 30,720 bytes |
| Reported Costs | |
Mylife is a malicious, destructive worm that deletes important system files. The original and its later variants displayed pictures and from this it became known by some other (not as often used) names, including Caricature (or some shortened form of that word) and the Bill Clinton worm (variant B only). The icons it used were also interesting.
|
Table of Contents
|
Behavior
 |
Mylife arrives as an email attachment named "My Life.scr".The subject of the email is "my life ohhhhhhhhhhhhh" and the message body will look like:
Hiiiii
How are youuuuuuuu?
look to the digital picture it's my love
vvery verrrry ffffunny :-)
my life = my car
my car = my house
When it is executed, the worm copies itself to the system folder as the same name as the attachment. The worm adds itself to the current user run registry key It displays a picture of a woman dressed in antique fancy clothes holding a flower.
The worm mails itself to all addresses in the Windows address book.
It checks if a variable is equal to or greater than 45 and if so begins deleting certain files. The worm deletes all .sys and .com files in the C:\ root folder, all .com, .sys, .ini, and .exe in the Windows folder and .sys, .vxd, .exe, and .dll files in the System folder.
Variants
Mylife.B
 |
This variant promises a Bill Clinton caricature (Clinton was out of office over a year before this variant appeared). It comes in the attachment "CARI.SCR", with a subject line of "bill caricature" and a message body like this:
Hiiiii
How are youuuuuuuu?
look to bill caricature it's vvvery verrrry
ffffunny :-) :-)
i promise you will love it? ok
buy
========No Viruse Found========
MCAFEE.COM
----------------------------
When the attachment is executed, Mylife.B displays a caricature of former US President Bill Clinton. This variant's payload triggers when CARI.SCR is in the system directory and the hour value is equal to 8. In addition to all addresses in the address book, it gets email adresses from the MSN Messenger database. Mylife.B deletes .sys files in the Windows directory and .vxd, .sys, .ocx, and .nls files in the system directory and all files in the root directories of drives C:, D:, E:, and F:.
Mylife.F
Hiiiii
How are youuuuuuuu?
look to the notepad it's vvvery verrrry ffffunny :-) :-)
i promise you will love it :-)
Notepad = list
list = 37
buyyyy
========No Viruse Found========
MCAFEE.COM
--------------------------------
Mylife.G, I and J
 |
These three variants are not particularly remarkable, aside from the fact that they display a caricature of then-Israeli president Ariel Sharon as a bull. Mylife.G overwrites MP3 files with the text "my lIfE".
Mylife.M
This variant appeared in 2003 July. It is 8,192 bytes long. It comes in one of two emails. One possibility is that its subject line will be " Fw: Julia Roberts" and the attachment will be "Julia_Roberts_F*cking_toilet.Mpeg_.scr". In this case, the body of the message will look like this:
Hi
How are you?
Lexy and Mystique, a couple of 18 yr old bi gothic chicks, came
over and had some fun in our shower. This scene looks even
better on video, check em out at gotgiclex.com
========No virus detected========
MCAFEE.COM"
 |
Otherwise, the subject will be "Old Shakira" and the the attachment will be "Shakira_1997_part_1_.Mpeg_.scr". In this case the body will be:
Hi
i saw this good ASS,, i sleep 3 hours ;-)
check Shakira ass soory Shakira movi :)
========No virus detected========
MCAFEE.COM"
When Mylife.M is executed, it creates a file named MyLife.mpg in the root directory of the C: drive and tries to run the Windows media player. It creates two copies of itself in the system directory named "Julia_Roberts_F*cking_toilet.Mpeg_.scr" and "Shakira_1997_part_1_.Mpeg_.scr". It adds one of these files as a value to the local machine Run registry key. It deletes all files on the D:, E: and F: drives and all .sys files in the Windows directory.
Effects
A Central Command product manager said mostly home users were affected.
Other Facts
With both the original and the variants, many antivirus researchers had difficulty getting the payload to run on their test systems.
Sources
A. Podrezov, K. Tocheva, M. Hypponen, G. Erdelyi. F-Secure, F-Secure Virus Descriptions : Mylife. 2003.07.07
Douglas Knowles. Symantec, W32.MyLife@mm. 2007.02.13
Jaikumar Vi Jayan. CNN Sci-Tech, 'Clinton' e-mail worm attempts to delete files. 2002.03.26
John Leyden. The Register, Clinton worm variant makes fun of Sharon. 2002.04.12
-. -, MP3 zapping malware worms onto P2P network. 2005.04.22