The public's short memory about warnings not to click on email attachments may be to blame for the continuing spread of the MyParty worm

An email attachment that poses as a Web link but is actually a mass-mailing computer worm spread slowly over the weekend, but it managed to infect systems in more than 50 countries.

Known within the antivirus industry as W32.MyParty@MM or W32/MyParty-A, the worm appears to be a link to a Web site, www.myparty.yahoo.com -- which doesn't actually exist. If the link is clicked, the worm sends itself out to every entry in the Windows address book, used by Outlook and Outlook Express. The worm affects all variants of Windows, from 95 to XP.

While it has spread worldwide, the number of infections is quite low, according to antivirus experts.

"It's quiet, and it has been relatively quiet all day," said Graham Cluley, senior technology consultant for UK-based antivirus company Sophos. "Most vendors had protection for this before the US woke up." The worm was first spotted in Asia and later tracked in Europe.

MyParty uses a trick of semantics to convince victims that the file attachment is a Web site. Certain Windows programs use a .COM extension, which of course mimics the tail end of many Web site names.

The email containing the worm has a subject line touting "new photos from MyParty!" The body adds:

"Hello! MyParty...It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks!"

While MyParty may not be overly clever, said Roger Thompson, director of malicious code research for security-services company TruSecure, it seems to have worked moderately well.

"It got lucky," Thompson said, adding that computer users should have learned by now not to click on attachments, no matter what they are named. "It's an exercise in the public's short attention span."

Very little data exists to show the true spread of the worm. However, UK-based email service provider MessageLabs received copies of MyParty from more than 50 countries since Saturday, when the worm started spreading.

Rival Postini saw an increase in malicious attachments -- currently running at one out of every 100 email messages compared with a normal average of one in every 1,000 -- and found that 72 percent of that traffic consisted of copies of MyParty.

MyParty also leaves behind a file that some antivirus software makers believe to be a copy of itself and others say is a program designed to send information back to the creator.

The worm's programming limits MyParty to infecting computers from 25 January to 29 January and also ensures that any computer that has a Russian version of Windows installed won't be infected. That detail, plus the fact that the worm attempts to send infection information to an email address at a Russian Web service provider, seems to make a case that a Russian created the worm.

"There is a suspicion that the people who created this came from Russia," Cluley said. However, he cautioned that a virus writer anywhere else in the world could have manufactured such details to mislead investigators.

Compared with other worms that spread in 2001 -- such as Code Red, Nimda and SirCam -- MyParty is only a small gathering, said antivirus researchers.

Copyright © 1995-2010 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.