Virus.MSWord.Melissa.bg

tag:Macro Viruses

0 0

This is one more variant of the "Melissa" virus with a very dangerous payload routine and an unlimited (by number of recipients) mailing routine. The virus only sends infected messages by using MS Outlook and does not infect any other files on the computer, so it can be classified as an Internet Worm.

The virus arrives as an e-mail message with an attached Word document.

The message Subject looks like follows:

Resume - Janet Simons

The message Body is:

To: Director of Sales/Marketing,

Attached is my resume with a list of references contained within. Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.

Sincerely,
Janet Simons.

The attached document contains two macros that are activated upon document opening and closing (Document_Open, Document_Close). Upon opening an infected document, the virus connects to MS Outlook, gets access to the address book and sends infected messages to all addresses listed there. The virus creates a "personal" message to each address, so it sends as many messages as there are addresses in the Outlook address book.

Upon document closing, the virus saves its document with the EXPLORER.DOC name in the Windows startup folder:

C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc

As a result, this virus copy will be activated upon each Windows start-up. The name of that file is "hardcoded" in the virus body, so this feature is successful only when Windows is installed in exactly that directory.

The virus also creates the C:\DATA directory and stores its copy in there with the NORMAL.DOC name:

C:\Data\Normal.dot

The virus then runs its payload routine. It erases all files in root directories on all drives from C: to Z:, as well as in directories:

C:\My Documents\*.*
C:\WINDOWS\*.*
C:\WINDOWS\SYSTEM\*.*
C:\WINNT\*.*
C:\WINNT\SYSTEM32\*.*

The virus code also contains the text strings:

 
'----------------------------------------------------------'
 '     Better You Than Me Buddy...                          '
 '     ... Hope You Like My vIrUs                           '
 '                 :)                                       '
 '                 :(                                       '
 '----------------------------------------------------------'

previous:Virus.MSWord.Melissa.w
previous:Virus.MSWord.Mensagem

Virus Source from:

New articles

RedCrossAntivirusRedCrossAntivirus carries out the following actions: When it is run, it connects to the website http://85.231.174/inst.php?id=and the program st...Virus.MSWord.HassleThis is a encrypted virus containing 7 macros:NORMAL.DOTInfected files AutoExecAutoClose FileSaveAsToolsMacro ToolsMacroMicrosoft01 Microsoft05Microsoft02 Micro...Virus.MSWord.HilightThis is an encrypted macro virus. It contains two macros that have different names in documents and NORMAL.DOT:DocumentsNORMAL.DOT AutoOpenAutoExec PrezentItFil...Virus.MSWord.HeaderThis virus contains 3 macros:DocumentsNORMAL.DOT AutoOpenao fsFileSave fsaFileSaveAsThe virus infects the system area on opening an infected document (AutoOpen)...Virus.MSWord.HiacThis macro virus does not manifest itself in any way. It contain two macros in infected documents and NORMAL.DOT:DocumentsNORMAL.DOT ------------------- AutoClo...

Hot Articles

Virus.MSWord.Melissa.bg

Computer Virus Clounds