The first email worm to use the .com extension has been spotted in the wild over the weekend. Antivirus experts are currently rating the MyParty virus as a medium risk.
Initial reports of the mass-mailing worm were received on Sunday evening, and the rate of infection steadily increased overnight and on Monday morning. The email arrives with the subject line, "new photos from my party," and purports to contain the URL to a Web page containing pictures of a friend's party. But what appears to be the URL www.myparty.yahoo.com is in fact an executable attachment capable of infecting a local machine with a copy of the virus. The real www.myparty.yahoo.com URL points to a non-existent page.
MyParty is the latest in a line of 'socially engineered' viruses that rely on the user to click on an attachment to spread the virus. "People have tended to go for the easy .exe attachment, as it still manages to lure people into double clicking," said David Emm, product marketing manager for McAfee AVERT. "But in the last six months, attachments have been replaced with URLs that link to an infected Web site."
The worm is UXP compressed, and when clicked on, copies itself to the C:\Recycled\regctrl.exe and executes that file. It then uses the victim's default SMTP mail server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files. DBX files are where Windows archives emails from Outlook.
According to Emm, both corporate and home PC users will be equally affected by the "myparty" worm.
"People can't resist something like this. The emails are close enough to everyday life and legitimate emails to put people off-guard. Nine out of 10 emails like this will be bona fide."