TekWarrior- To Protect And Inform The Public

Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page

Main office

Home
Message board
Tech board

News Room

Breaking News
Recent Stories

Security Fortress

Security Home
Virus Central

Bug Alert

Bug Alert Home
Latest Bugs& Patches

Download Center

Latest Downloads
Browser & Add-ons
Compression
E-Mail
Financial
Graphics
Internet
Misc
Multimedia
PC Accelerators
Security/Antivirus
Utilities
Web Accelerators

Reviews

Software Reviews
Hardware Reviews
Miscellearnous Reviews

Site Resources

Archives
FAQ
Staff & Contact
Support Team

Virus Central - The Place for Virus Info

W97M/Melissa.AO virus -

W97M/Melissa.AO virus

W97M/Melissa.AO This e-mail spreading Microsoft Word 97/2000 macro virus / worm uses the same infection routine as Melissa.A but has a different payload. When the infected document is opened, the virus disables four Word options - Tools\Macro command bar, Virus Protection, SaveNormalPrompt and ConfirmConversions. It will also set the registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level = 1 and disable the menu item called Macros/Security. Melissa.AO then checks the registry value: HKEY_LOCAL_MACHINE\Security\ActiveWorm and if it is not set to "Worm Empire", the virus assumes that the computer has not been infected and executes the infection payload. The infection payload uses the Microsoft Outlook address book to send a copy of the infected email to the first 50 individuals or groups listed in the address book. The email will have the subject line: "Extremely URGENT: To All E-Mail User - " and Date. The body will contain a copy of the infected document and the message: "This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail." If the recipient opens the document they can be become infected with the Worm and it will attempt to spread to other users if they use Microsoft Outlook. The infected document only contains one macro which is Document_Open in the infected documents, and it will be Document_Close in infected Normal Templates. If this macro already exists, the virus will copy the code to a module named Worm_Empire and then overwrite DocumentOpen/Close with its own source code. During infection the worm will create the registry value HKEY_LOCAL_MACHINE\Security\ActiveWorm and set it to "Worm Empire". The virus payload triggers at 10 AM on the 10th day of any month. The file being worked on can be saved five times in the current directory with the filenames being the current Date & Month & Year & Second and the number from 1 - 5 eg. 103200011(1-5).doc. The virus then inserts the message "Worm! Let's We Enjoy!" into each of the documents. This virus has been seen in the field.

W97M/Melissa.V virus. W97M/Melissa.V is a modified version of W97M/Melissa.A. The module name has been changed from "Melissa" to "mp", so as the self-check related routines. Once activated, the virus launches "Outlook.exe". A text line added to the active document that reads "Opening Microsoft OutLook...". If Office 97 is in use, the macro protection warning will be disabled. If Office 2000 is in use, the macro security level will be set to the lowest level. The mass mailing feature changed to address the first 40 entries in every address book from OutLook (instead of 50 like W97M/Melissa.A). The message sent by virus has the following character: Subject: "My pictures " Body: """ The infected document will be attached to the email. The following registry key is then created: "HKEY_CURRENT_USER\Software\Microsoft\Office\mp" The key value is set to "... by 22", which disabled the mass mailing feature the next time this virus is run on the same machine. The virus then attempt to delete all files on the following drive: M:\, N:\, O:\, P:\, Q:\, s:\, f:\, I:\, x:\, z:\, H:\, L:\ Afterwards a message box pops up with the following text: "Please Check Your OutLook Inbox E-Mail!" Then OutLook will be launched again, but this time with a maximized window that visible to the user. Lastly, a text line added to the active document that reads "Hint: Get Norton 2000 not McAfee 4.02". Detection and cure for both W97M/Melissa.U and W97M/Melissa.V is already included from Signature version 4.25 and above. These Signature versions will detect both viruses as W97M/MailWorm.Variant.

W97M/Melissa.U virus. The module name has been changed from 'Melissa' to 'Mmmmmmm'. The payload has also been altered from the original version of Melissa: this version will only send to 4 addresses (or groups) while the original sends to 50. The subject line of the email has been changed to 'Pictures' and the message text has been changed to 'What's up.' The virus also contains a destructive payload that will attempt to delete the following files: c:\command.com, d:\command.com, c:\ios.sys, d:\ios.sys, c:\ntdetect.com, d:\ntdetect.com, c:\suhdlog.dat and d:\suhdlog.dat.

Most antivirus software should have updates for the new variations of melissa. So update your antivirus software.

Network

TekWebNetwork
Tekzone
Tekwarrior
TekWebDesign

Join Network:

Quick Bar

File of the week

IE 5.5

Free file

AdSubtract 1.66 SE

Beta releases

Paint Shop Pro 7 Beta

New releases

WinZip 8.0