December 3, 1999 12:10 PM PST
Virus set for Jan. 1, 2000
The virus--the latest in a series of increasingly flamboyant viruses that prey on vulnerabilities in Microsoft desktop software--is called W32/Mypics.worm and is triggered by the date Jan. 1, 2000. The worm, limited to Microsoft Outlook and Internet Explorer users, is received as an email attachment disguised as a picture.
What it does: If opened, the virus will delete your hard drives after New Year's Day. It may also change the default home page of your Web browser.
Means of transmission: Email. Uses Microsoft's Outlook to replicate.
How to recognize: Arrives as an email with no subject line. Message reads: "Here's some pictures for you," with a file titled, "Pics4You.exe."
Who is at risk: Any Windows 95, 98 users.
But the damage to the unsuspecting user doesn't truly happen until Jan. 1, 2000. The virus works by masking as a Y2K problem, which will prompt users to reboot. When an infected computer is rebooted, however, the virus will attempt to format the local hard drives and erase all data, Symantec said.
"The user's left wondering if this is all happening because of Y2K," said Vincent Weafer, director of the anti-virus research center.
W32/Mypics.worm arrives in an email, with no subject line. The body of the message reads, "Here's some pictures for you!" The email message contains a "Pics4You.exe" attachment that is approximately 34,304 bytes in size.
Once the user opens the attachment, the worm loads itself into memory and executes by sending out copies of itself attached to emails addressed to up to 50 people in the users address list. It then modifies the system registry to manipulate the system startup and also changes the user's home page in Internet Explorer to a GeoCities hosted Web site that contains adult content.
When this happens, and people notice the Home page change, Weafer said users should get suspicious and initiate anti-virus scans on their machine. He warns this should be done before Jan. 1, so the virus doesn't launch.
"This is the fifth Y2K-related virus we've discovered so far," said Weafer. "There is a lot of activity around Y2K. A lot of people are looking to get some of the publicity related to the problem." He, like other observers, expects more people to try to write viruses between now and the first of the year and have it trigger during the new year.
Although the newest Y2K worm is not a Melissa variant, the new worm is similar to Melissa, said Narender Mangalan, Computer Associates' director of security. Several of Computer Associates' large customers have found it on their systems.
The new virus is the third Melissa relative to hit in the last two weeks. Prilissa--which triggers during Christmas--and the variant to Worm.ExploreZip--which deletes files--are the other two.
Prilissa also can knock out hard drives, but is triggered to go off on Dec. 25.
"[The W32/Mypics.worm virus] combines all the bad things the previous viruses had. It can send itself to 50 email addresses on your address book, it's a date-triggered virus that triggers on Y2K. And it can delete the information on your hard drive."
Mangalan said this is yet another reason to prepare for Y2K, warning that people must make sure they're Y2K-compliant. Otherwise, "When people come in after New Year's, they don't know if they're problem is due to a virus or the Y2K bug."
People can protect their computers by not opening the attached document. Update anti-virus software to ensure protection against the worm, said Weafer. Additional information on the new virus is available at the Symantec Web site.