Mailinglist Archives:
Infrared
Panorama
Photo-3D
Tech-3D
Sell-3D
MF3D

Notice

This mailinglist archive is frozen since May 2001, i.e. it will stay online but will not be updated.

Virus warning, a real one this time

From: Willem-Jan Markerink <w.j.markerink@xxxxx>
Subject: Virus warning, a real one this time
Date: Mon, 29 Mar 1999 16:50:30 +0000

Hope this helps someone:
(and yes, it's real, received an infected message/file this 
morning)

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>i downloaded yesterday the update for my virusscanner,
>when surfing NAI's site (yes i use mcafee) and this morning
>it was here on national tv, i found this document:
>(wich is located @:
>http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp )
>
>"
>W97M/Melissa
>Melissa is a Word 97 Class Module Macro virus that can also be upconverted
>to a Word 2000 Macro Virus. It was first discovered by NAI's Dr Solomon's
>VirusPatrol on the alt.sex newgroup on March 26. The virus has spread
>rapidly around the world, and has infected thousands
>
>Symptom
>
>The virus can infect a system by being received from another infected user
>via Outlook. This appears to be the most common method of infection. Users
>will not know they have been infected, nor will the sender know the document
>has been sent. A user may become alerted to the infected document if the
>Macro Security settings are enabled. This warning will be displayed to the
>user when the document is opened.
>
>Pathology
>
>When the infected document is opened, the virus checks for a setting in the
>registry to test if the system has already been infected.
>
>If the system hasn't been infected, the virus creates an entry in the
>registry: HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by
>Kwyjibo"
>
>(If this key exists the email process will not execute, the virus will still
>infect. AVERT advises that it not be removed.)
>
>(As a preventive message you can create this registry key to prevent the
>virus from launching)
>
>This virus also creates an Outlook object using Visual Basic instructions
>and reads the list of members from Outlook Global Address Book. An email
>message is created and sent to the first 50 recipients programatically all
>the address books, one at a time. The message is created with the subject
>
>"Important Message From - <User Name>"
>
>The message body of text reads
>
>"Here is that document you asked for ... don't show anyone else ;-)".
>
>The active infected document is attached and the email is sent. The most
>prevalent document being seen is one called List.DOC, however this is NOT
>the only document that can be sent or received. Once the system is infected
>all documents that are opened are infected. As any document can be sent, a
>user that receives the infected document, who hasn't been infected, can
>become infected with this document, and the process will continue.
>
>The virus does have a payload. If the day equals the minute value, and the
>infected document is opened this text is inserted at the current cursor
>position:
>
>" Twenty-two points, plus triple-word-score, plus fifty points for using all
>my letters. Game's over. I'm outta here."
>
>This virus checks for low security in Office2000 by checking the value from
>the registry; if the value
>HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level" is not
>null,
>
>the virus will disable the "MACRO/SECURITY" menu option. Otherwise Word97
>menu option "TOOLS/MACRO" is disabled.
>
>Comments inside the macro virus include:
>
>'WORD/Melissa written by Kwyjibo
>
>'Works in both Word 2000 and Word 97
>
>'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
>
>'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
>
>Cure
>
>For detection and cleaning, use the following combinations ONLY!
>
>VirusScan 3 requires engine 3.2.2 + hourly .DAT
>ftp://ftp.nai.com/pub/antivirus/engine/eng322sp.zip
>http://www.avertlabs.com/public/datafiles/3xupdates.asp
>
>VirusScan 4.0.x + 4019 .DAT
>http://www.avertlabs.com/public/datafiles/4xupdates.asp
>
>Toolkit 7 requires engine Special Edition 7.93 + extra.drv
>http://www.avertlabs.com/public/datafiles/7xupdates.asp
>http://www.avertlabs.com/public/datafiles/extra_drivers.asp
>"
>Greetings ralphie,
>
>--
>this email is sent to u to inform / warn U.
>U dont need to reply to this email.

--                 
Bye,

Willem-Jan Markerink


      The desire to understand 
is sometimes far less intelligent than
     the inability to understand


<w.j.markerink@xxxxx>
[note: 'a-one' & 'en-el'!]

Prev by Date: Cirkut Ring Gear
Next by Date: 'Melissa' continues to wreak havoc
Prev by thread: 'Melissa' continues to wreak havoc
Next by thread: Cirkut Ring Gear
Indexes:
- Main
- Thread