 |
| |
|
Profile
|
|
|
Virus Name
W97M/Resume.a@mm
Aliases
Melissa.bg
W97M/Melissa.bg@mm
Variants
|
Related Downloads
Description Added
5/26/00
Virus Information
| |
| | Discovery Date: | 5/26/00 |
| | Origin: | Email |
| | Length: | 39,424 |
| | Type: | Trojan |
| | SubType: | Macro |
| | Risk Assessment: | Medium On Watch |
| | Minimum Engine: | 4.0.35 |
| | Minimum Dat: | 4081 |
| | DAT Release Date: | 6/7/00 |
Virus Characteristics
This is a variant of the W97M/Melissa family with a very dangerous payload. This is a worm in that it does not infect the local host system. It spreads by email on opening of the document. It will arrive by Outlook email with the following format:
---------------begin copy of email--------
Subject: Resume - Janet Simons
To: Director of Sales/Marketing,
Attached is my resume with a list of references contained within.
Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.
Sincerely,
Janet Simons.
«Explorer.doc»
-----------------end copy of email--------
If the file EXPLORER.DOC is opened, it will forward an email all entries in all available address books.
As if this wasn't enough, this trojan will wait for the user to close the document before continuing with a more damaging payload.
On closing the document, this trojan will perform the following actions against the victim:
* try to copy itself as
"C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc"
* try to copy itself as "C:\Data\Normal.dot"
* try to delete all files in the following directories and drives in this order, making the system unusable if this occurs:
"C:\*.*"
"C:\My Documents\*.*"
"C:\WINDOWS\*.*"
"C:\WINDOWS\SYSTEM\*.*"
"C:\WINNT\*.*"
"C:\WINNT\SYSTEM32\*.*"
"A:\*.*" [may cause an error message]
"B:\*.*" [may cause an error message]
and *.* in the root of drives D: thru Z:
At the beginning of the virus code, the following comments exist but are never displayed:
'-----------------------------------------------------'
'Better You Than Me Buddy...
'... Hope You Like My vIrUs
' :)
' :(
'-----------------------------------------------------'
Symptoms
Receipt of an email message as described above - DO NOT OPEN THE ATTACHMENT. If the document received by email is opened, deletion of files may occur, as described above.
Method Of Infection
This trojan is actually a worm in that it does not infect the global template, only forwards to everyone in available address books.
Removal Instructions
Script,Batch,Macro and non memory-resident:
Use specified engine and DAT files for detection and removal.
Note1- Microsoft has released an update for Outlook as an email attachment security update. Apply this update as applicable.
Note2- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
PE,Trojan,Internet Worm and memory resident:
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use an emergency boot diskette and use the command line scanner such as "SCANPM C: /CLEAN /ALL"
|