Mylife
Mylife
Type Mass mailer worm
Creator
Date Discovered 2002.03.07
Place of Origin
Source Language
Platform MS Windows
Infection Length 30,720 bytes
Reported Costs

Mylife is a malicious, destructive worm that deletes important system files. The original and its later variants displayed pictures and from this it became known by some other (not as often used) names, including Caricature (or some shortened form of that word) and the Bill Clinton worm (variant B only). The icons it used were also interesting.

Behavior

Mylifea.png

Mylife arrives as an email attachment named "My Life.scr".The subject of the email is "my life ohhhhhhhhhhhhh" and the message body will look like:
  Hiiiii
  How are youuuuuuuu?
  look to the digital picture it's my love
  vvery verrrry ffffunny :-)
  my life = my car
  my car = my house

When it is executed, the worm copies itself to the system folder as the same name as the attachment. The worm adds itself to the current user run registry key It displays a picture of a woman dressed in antique fancy clothes holding a flower.

The worm mails itself to all addresses in the Windows address book.

It checks if a variable is equal to or greater than 45 and if so begins deleting certain files. The worm deletes all .sys and .com files in the C:\ root folder, all .com, .sys, .ini, and .exe in the Windows folder and .sys, .vxd, .exe, and .dll files in the System folder.

Variants

Mylife.B

Mylifeb.png

This variant promises a Bill Clinton caricature (Clinton was out of office over a year before this variant appeared. It comes in the attachment "CARI.SCR", with a subject line of "bill caricature" and a message body like this:
  Hiiiii
  How are youuuuuuuu?
  look to bill caricature it's vvvery verrrry
  ffffunny :-) :-)
  i promise you will love it? ok
  buy
  ========No Viruse Found========
  MCAFEE.COM
  ----------------------------

When the attachment is executed, Mylife.B displays a caricature of former US President Bill Clinton. This variant's payload triggers when CARI.SCR is in the system directory and the hour value is equal to 8. In addition to all addresses in the address book, it gets email adresses from the MSN Messenger database. Mylife.B deletes .sys files in the Windows directory and .vxd, .sys, .ocx, and .nls files in the system directory and all files in the root directories of drives C:, D:, E:, and F:.

Mylife.F

  Hiiiii
  How are youuuuuuuu?
  look to the notepad it's vvvery verrrry ffffunny :-) :-)
  i promise you will love it :-)
  Notepad = list
  list = 37
  buyyyy
  ========No Viruse Found========
           MCAFEE.COM
  --------------------------------

Mylife.G, I and J

Mylifegij.png

These three variants are not particularly remarkable, aside from the fact that they display a caricature of then-Israeli president Ariel Sharon as a bull. Mylife.G overwrites MP3 files with the text "my lIfE".

Mylife.M

This variant appeared in 2003 July. It is 8,192 bytes long. It comes in one of two emails. One possibility is that its subject line will be " Fw: Julia Roberts" and the attachment will be "Julia_Roberts_F*cking_toilet.Mpeg_.scr". In this case, the body of the message will look like this:

  Hi
  How are you?
  Lexy and Mystique, a couple of 18 yr old bi gothic chicks, came
  over and had some fun in our shower.  This scene looks even
  better on video, check em out at gotgiclex.com

  ========No virus detected========
           MCAFEE.COM"
Mylcons.png

Otherwise, the subject will be "Old Shakira" and the the attachment will be "Shakira_1997_part_1_.Mpeg_.scr". In this case the body will be:
  Hi
  i saw this good ASS,, i sleep 3 hours ;-)
  check Shakira ass soory Shakira movi :)
  ========No virus detected========
             MCAFEE.COM"

When Mylife.M is executed, it creates a file named MyLife.mpg in the rot directory of the C: drive and tries to run the Windows media player. It creates two copies of itself in the system directory named "Julia_Roberts_F*cking_toilet.Mpeg_.scr" and "Shakira_1997_part_1_.Mpeg_.scr". It adds one of these files as a value to the local machine Run registry key. It deletes all files on the D:, E: and F: drives and all .sys files in the Windows directory.

Effects

A Central Command product manager said mostly home users were affected.

Other Facts

With both the original and the variants, many antivirus researchers had difficulty getting the payload to run on their test systems.

Sources

A. Podrezov, K. Tocheva, M. Hypponen, G. Erdelyi. F-Secure, F-Secure Virus Descriptions : Mylife. 2003.07.07

Douglas Knowles. Symantec, W32.MyLife@mm. 2007.02.13

Jaikumar Vi Jayan. CNN Sci-Tech, 'Clinton' e-mail worm attempts to delete files. 2002.03.26

John Leyden. The Register, Clinton worm variant makes fun of Sharon. 2002.04.12

-. -, MP3 zapping malware worms onto P2P network. 2005.04.22

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License