W97M/Melissa.O:
Virus name |
W97M/Melissa.O |
Aliases |
W97M/Melissa.AA, W97M/Melissa.Variant |
Type |
Word Macro Virus |
Infection:
The Melissa.O is a new variant of the melissa-virus. The subject of the
email, which is sended by the virus, is "Duhalde Presidente <Word97-username>"and
in the text a government-program is announced in spanish "Programa de gobierno 1999-2004".
If you open the attachment your system will be infected.
Payload:
First of all the virus attempts to send a copy of itself to the first 100
adresses in the Outlook-adressbook. If an infected document is opened or closed
the virus checks, if the email were send. If not it sends them now. The check is
done by the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\".
If here is an entry "x" with the value "y", the
infected mails were send.
A second payload is started, if the actual minute is exactly one smaller than
the actual day (i.e. 5 minutes after every full hour at the 6th of december). If
this correspondence appears the marked text in word is replaced by space.
Protection and removal:
If the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\"
an entry "x" with the value "y" exists, the virus is on your
PC. You can get protection against the sending of mass-emails, if you insert
this registry entry. This protects you against sending emails, but not against
the second payload (replacing text by space).
A virusscanner-update protects you against this and removes the virus out of
your PC.
Further reports to this virus:
http://www.symantec.com/avcenter/venc/data/w97m.melissa.aa.html
Copyright
by All-About-PC. All rights reserved.
All information on this website is protected by international law. Any
reproduction or publication without the agreement of the editorial
office is prohibited. Please respect the work of others.
Although all information on this website is hardly recherched and
mostly checked and confirmed from secondary side, we do not take the
responsibillity for any damage originated from the use of the
information on our site. |