Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


W32.MYBABYPIC@MM - A NEW INTERNET WORM SPREADING

Virus Name  : W32.MyBabypic@mm

Alias             : I-Worm.Mybabypic

Virus type    : Internet worm

Threat level : Low

Virus details :

                     Mybabypic is an Internet worm, uses Microsoft Outlook to email itself. The worm is 77,824 bytes long {78KB} and written in Visual Basic 6. It needs "MSVBVM60.dll" to spread otherwise it will show DLL missing error. The e-mail attachment name will be "mybabypic.exe".

                     While opening the e-mail attachment, a message box with the picture of a child is displayed. It also drops the following copies of itself in the Windows Systems directory MYBABYPIC.EXE, WINKERNEL32.EXE, WIN32DLL.EXE, CMD.EXE (this would overwrite the same named file on Windows NT) COMMAND.EXE. It modifies several registry entires to load on the next startup. So the creative.exe file is loaded automatically whenever the system is started.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe

The worm also modifies the following registry keys.

HKCU\software\ Bugger\Default = HACK[2K]
HKCU\software\Bugger\ mailed = <number>

                     Then it opens the Microsoft Outlook Address book and sends email to all the email Ids stored. The message subject will be "My baby pic !!!", the message body will be "Its my animated baby picture !!" and the attachment name will be "mybabypicexe".

                     The payload of this worm is somewhat different. It switches on/off NumLock, CapLock ,ScrollLock keys and sends the message IM_BESIDES_YOU_ to the keyboard buffer. It also searches for files with extensions JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H and overwrites with the worm body. For example XYZ.C will be renamed to XYZ.EXE. In case of JPG and JPEG files it overwrites and adds the extension .EXE. For example XYZ.jpg will be renamed to XYZ.jpg.exe. In case of MP2, MP3 & MU3 the worm creates a new file with .EXE extension.

                     The worm also connects to the site the www.youvebeenhack.com and sends the following message

"FROM BUGGER
HAPPY VALENTINES DAY FROM BUGGER
HAPPY HALLOWEEN FROM BUGGER"

How can I protect my system?

                   Solo has incorporated W32.MyBabypic@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Mybabypic@mm safely. Use the following link to Download 30 day trial version of Solo antivirus [1670 KB] to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link