W97M/Melissa.A
Threat risk
|
Detection files published:
Mar 1999 |
Description created:
2000-04-10 |
Description updated:
2001-11-15 |
|
Alias:
|
Spreading mechanism
| |
|
Payload:
| ||
Spreading description
Email characteristics:
Subject: Important message from
Body: Here is that document you asked for . . . don't show anyone else ;-)
Attachment: (infected document)
The W97M/Melissa virus replicates under MS Word 8 and MS Word 9 (MS Office97 and MS Office2000). W97M/Melissa will start to disable certain settings. If Melissa detects that Word 9.0 is installed, it will disable the Macro-Security menu and set the Security-level in Word to Low, otherwise, it will disable the Tools-Macro menu and then disables the following Word 8.0 options:
- ConfirmConversions
- Virusprotection
- SaveNormalPromp
Melissa next checks the value of the registry string:
HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by Kwyjibo"
If this entry does not exist, the virus will try to create an MS Outlook session and send copies of the infected document to the first 50 people from each of your Outlook address books, and then sets the Registry key.
Otherwise the virus jump over the email routine. As a results the virus sends infected email messages only once.
W97M/Melissa use MS Outlook, not MS Outlook Express, to send out infected documents.
After sending itself to addresses in you address books, the virus checks to see if it is running on a document or Normal.dot template. If it is running on a document, it infects the Normal.dot template and vica versa.
After Normal.dot template is infected, every documents you work on will be infected as soon as you close.
Threat description
If the minute of the hour equals the day of the month, the virus insert the following message at the current cursor location in the active document:"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
