Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

I-WORM/MYBABYPIC - A NEW INTERNET WORM SPREADING

                     Mybabypic is an Internet worm, uses Microsoft Outlook to email itself. The worm is 77,824 bytes long {78KB} and written in Visual Basic 6. It needs "MSVBVM60.dll" to spread otherwise it will show DLL missing error. The e-mail attachment name will be "mybabypic.exe".

                     While opening the e-mail attachment, a message box with the picture of a child is displayed. It also drops the following copies of itself in the Windows Systems directory MYBABYPIC.EXE, WINKERNEL32.EXE, WIN32DLL.EXE, CMD.EXE (this would overwrite the same named file on Windows NT) COMMAND.EXE. It modifies several registry entires to load on the next startup. So the creative.exe file is loaded automatically whenever the system is started.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mybabypic = %WinSystem%\mybabypic.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINKernel32 = %WinSystem%\WINKernel32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices = %WinSystem%\Win32DLL.exe

The worm also modifies the following registry keys.

HKCU\software\ Bugger\Default = HACK[2K]
HKCU\software\Bugger\ mailed = <number>

                     Then it opens the Microsoft Outlook Address book and sends email to all the email Ids stored. The message subject will be "My baby pic !!!", the message body will be "Its my animated baby picture !!" and the attachment name will be "mybabypicexe".

                     The payload of this worm is somewhat different. It switches on/off NumLock, CapLock ,ScrollLock keys and sends the message IM_BESIDES_YOU_ to the keyboard buffer. It also searches for files with extensions JS, JSE, CSS, WSH, SCT, HTA, PBL, CPP, PAS, C, H and overwrites with the worm body. For example XYZ.C will be renamed to XYZ.EXE. In case of JPG and JPEG files it overwrites and adds the extension .EXE. For example XYZ.jpg will be renamed to XYZ.jpg.exe. In case of MP2, MP3 & MU3 the worm creates a new file with .EXE extension.

                     The worm also connects to the site the www.youvebeenhack.com and sends the following message

"FROM BUGGER
HAPPY VALENTINES DAY FROM BUGGER
HAPPY HALLOWEEN FROM BUGGER"

How can I protect my system?

Fire has incorporated I-Worm/Mybabypic into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file by using online update facility.

How can I find my system is infected?

                     You can check the system manually. This worm creates "MYBABYPIC.EXE" in the windows system folder The presence of this file ensures you are infected with this worm. A free download of FireLite [ 1100KB ] version is available to detect all viruses inculding I-Worm/Mybabypic. If you find any virus, use registered windows version of Fire to remove. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

[Analysis: Mr.Vijay Kumar, Mr.Xavier, Prognet Technologies Pvt. Ltd, Feb. 2001]

Go to top of the page
.