Virus Name Risk Assessment <br />W32/MyLife.b@MM Medium <p>Virus Information <br />Discovery Date: 03/21/2002 <br />Origin: Unknown <br />Length: 41,984 bytes (UPX packed) <br />Type: Virus <br />SubType: E-mail <br />Minimum Dat: 4193 <br />Minimum Engine: 4.0.70 <br />DAT Release Date: 03/22/2002 <br />Description Added: 03/21/2002 <br />Description Modified: 03/22/2002 11:01 AM (PT) <br /> <br />Virus Characteristics <br />Detection for this threat wass added to the 4193 DAT files on March 22. Alternatively an EXTRA.DAT is available below. <br />This mass-mailing worm, written in Visual Basic 6, uses Microsoft Outlook to send itself to all addresses in the Outlook Address book and addresses on the MSN Messenger contact list. It arrives in an email containing the following information:<p>Subject: bill caricature <br />Attachment: cari.scr <p>The attachment is a UPX packed PE file. When executed on the local machine, the following image is displayed whilst the worm copies itself to the System folder, and uses Outlook to propagate itself to all address found in the Outlook Address book and addresses on the MSN Messenger contact list:<p>The following Registry key is added to ensure the worm is executed at subsequent system startup:<p>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\<br />Run\win=C:\WINDOWS\SYSTEM\cari.scr <br />Upon restarting the machine, the worm does not propagate again, and the above image is not displayed. When the worm is run from the SYSTEM directory and the hour is 8am, the worm deletes the following files:<p>*.* from C:\ D:\ E:\ and F:\ <br />*.SYS, *.VXD, *.OCX and *.NLS from C:\WINDOWS\SYSTEM<br />The most likely scenario for this occurrence is for a system to become infected on one day, and the system files to be deleted the next, when the machine is rebooted or powered on in the morning. <br /> <br />Symptoms <br />Presence of: cari.scr (41,984 bytes) in the system directory. <br />Messages bearing the properties described above in your 'Sent Mail' folder.<br /> <br />Method Of Infection <br />When executed, the worm propagates itself to all addresses found in the Outlook Address book and addresses on the MSN Messenger contact list, using Microsoft Outlook. The worm copies itself to the System folder, modifying the Registry to run this copy at subsequent startup. <br /> <br />Removal Instructions <br />All Users:<br />Use current engine and DAT files for detection and removal. Alternatively, the following EXTRA.DAT packages are available: <p>Extra.dat <p>Extra.dat inside superdat package <p>In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. <br />Additional Windows ME Info:<br />NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.<p>Disabling the Restore Utility<p>1. Right click the My Computer icon on the Desktop, and choose Properties.<br />2. Click on the Performance Tab.<br />3. Click on the File System button.<br />4. Click on the Troubleshooting Tab.<br />5. Put a check mark next to "Disable System Restore".<br />6. Click the Apply button.<br />7. Click the Close button.<br />8. Click the Close button again.<br />9. You will be prompted to restart the computer. Click Yes.<br />NOTE: The Restore Utility will now be disabled.<br />10. Restart the computer in Safe Mode.<br />11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.<br />12. After removing the desired files, restart the computer normally.<br />NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active. <br /> <br />Aliases <br />Name <br />W32.Caric@mm (Symantec) <br />Win32.MyLife.B (CA) <br />Win32/Cari.Worm (CA)