Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mybabypic.A

Win32/Mybabypic.A is an email worm written in Visual Basic.  It arrives as a file attachment of an email message with the name mybabypic.exe.  The subject of this message is "My baby pic !!!".  The message body contains the text "Its my animated baby picture !!".  It needs Microsoft Outlook to spread.
When the worm is executed it creates 5 copies of itself in the Windows system directory.  The size of its copies are always 77824 bytes.  The names of the copies of the worm are as follows:

• cmd.exe
• command.exe
• mybabypic.EXE
• Win32DLL.exe
• WINKernel32.exe

Then the worm creates the following keys in the system registry:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32\ with path to the file WINKernel32.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic\ with path to the file mybabypic.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ with path to the file Win32DLL.exe

ensuring that the worm gets activated at every system start.
Additionally the worm creates the key HKCU\software\Bugger\ in the registry with items default and mailed.  The item default has the value CK[2K], mailed is a number from 0 to 3.
The ways in which the worm shows its presence is by connecting to one of  the following addresses

Http://www.youvebeenhack.com?FROM BUGGER
Http://www.youvebeenhack.com?HAPPY VALENTINES DAY FROM BUGGER
Http://www.youvebeenhack.com?HAPPY HALLOWEEN FROM BUGGER

through manipulation of the keys NumLock, CapsLock and ScrollLock to extensive destruction of files on computer’s hard disks.  It overwrites files with extensions vbs and vbe.  Files with extensions pbl, cpp, pas, c, h, js, jse, css, wsh, sct, hta are renamed to files with the same name but with the extension changed to .exe, moreover, it writes its copy into the file.  To files with extensions jpg and jpeg the worm adds another extension exe.  It means that each of these files has been altered to filename.jpg.exe (for example).  The worm treats files with extensions mp3, mp2 and m3u in a very similar way: it creates a copy of the original file which contains the worm.  To the original filename with an extension it adds as a second extension ".exe".  It means that the file Harry_up_Hary.mp3 the file Harry_up_Hary.mp3.exe is created and the file attribute of the original file is set to hidden by the worm.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.