W32.Mypics.Worm
Detected as: W32.Mypics.Worm, W32.Mypics.Worm (bat), W32.Mypics.Worm (com)
Aliases: Worm.Mypics, Pics4you, Cbios
Infection Length: 34,304 bytes
Likelihood: Common
Trigger Dates: Any day in Year 2000
Detected on: Dec 3, 1999
Region Reported: US
Characteristics: Worm, Y2K, BIOS
Description
W32.Mypics.Worm was discovered on the evening of Dec 2, 1999. The worm
propagates automatically on Windows 9x and Windows NT platforms through email
and has a destructive payload that triggers in the year 2000.
The worm propagates by automatically sending itself to as many as 50 people in
the Outlook address book. The subject line is empty and the body of the email
is:
Here's some pictures for you!
It will also contain a worm program attachment named pics4you.exe (34,304
bytes).
Below is an example of how the email message will appear:
<a href="mypic.gif"</a>
It attempts to fool the recipient into believing that the attachment contains
images. When the attachment is executed (pics4you.exe), the program will not
display any images and simply seems to have terminated. But the worm will
become resident in memory and will email itself to as many as 50 people. The
worm will also set Microsoft Internet Explorer browser's 'Home Page' setting to:
http://www.geocities.com/SiliconValley/Vista/8279/index.html
The Windows registry keys will also be modified and changed to load the worm in
memory every time the computer system is rebooted. As a result, the worm will
always be resident in memory.
The worm has two payloads that simulate a Y2K problem.
First, the worm monitors the system clock and when it detects the year is 2000,
the worms will modify the system BIOS. On the next cold reboot, the computer
will display a message such as
"CMOS Checksum Invalid"
and prevent the computer from booting. This can easily be corrected by going
into the BIOS setup.
After the BIOS settings are corrected, the worm will execute its second payload
and will format the hard drive.
Technical Details of Payload
Norton AntiVirus will detect this worm as W32.Mypics.Worm. After pics4you.exe
is executed, the worm will remain resident in memory and monitor the system
clock. When the worm detects the year 2000 (i.e. Jan 1, 2000), the worm will
insert and execute a file named CBIOS.COM. The worm will also overwrite the
autoexec.bat file.
The CBIOS.COM file is a 15-byte program written in assembly and designed to
overwrite the high byte of the two-byte CMOS checksum value in the system BIOS.
As a result, the computer will display a system BIOS error such as:
"CMOS Checksum Invalid"
when it is next cold rebooted. This problem can be corrected by launching the
system BIOS setup utility and saving the BIOS data again. This will rewrite and
recalculate the BIOS checksum value. Norton AntiVirus will detect this file as
W32.Mypics.Worm (com).
The worm will overwrite the autoexec.bat with the following data:
ctty nul
format d: /autotest /q /u
format c: /autotest /q /u
The new autoexec.bat file size will be 64 bytes.
As a result, the data on both the C and D drives will be formatted. Norton
AntiVirus will detect this file as W32.Mypics.Worm (bat).
<b>Additional Notes </b>
It is important to note that the worm has been written using Microsoft Visual
Basic. In order for the worm to run, the worm is dependent on a Visual Basic
Virtual Machine run-time library file named MSVBVM50.DLL that needs to be
installed independent of the worm on the computer. The MSVBVM50.DLL does not
propagate with the worm.
<b>Repair Notes </b>