New worm spoils the party

Initial reports of the mass-mailing worm were received on Sunday evening, and the rate of infection steadily increased overnight and on Monday morning. The e-mail arrives with the subject line, "new photos from my party," and purports to contain the URL to a Web page containing pictures of a friend's party. But what appars to be the URL www.myparty.yahoo.com is in fact an executable attachment capable of infecting a local machine with a copy of the virus. The real www.myparty.yahoo.com URL points to a non-existent page.

MyParty is the latest in a line of 'socially engineered' viruses that rely on the user to click on an attachment to spread the virus. "People have tended to go for the easy .exe attachment, as it still manages to lure people into double clicking," said David Emm, product marketing manager for McAfee AVERT. "But in the last six months, attachments have been replaced with URLs that link to an infected Web site."

When clicked on, the worm copies itself to the C:Recycledregctrl.exe and executes that file. It then uses the victim's default SMTP mail server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files. DBX files are where Windows archives e-mails from Outlook.

According to Emm, both corporate and home PC users will be equally affected by the "myparty" worm.

"People can't resist something like this. The e-mails are close enough to everyday life and legitimate emails to put people off-guard. Nine out of 10 e-mails like this will be bona fide."

Sophos has devised a patch at http://www.sophos.com/downloads/ide/.

Reuters contributed to this report.