hort.net Seasonal photo, (c) 2006 Christopher P. Lindsey, All Rights Reserved: do not copy
articles | gallery of plants | blog | tech blog | plant profiles | patents | mailing lists | top stories | links | shorturl service | tom clothier's archive0
 Navigation
Articles
Gallery of Plants
Blog
Tech Blog
Plant Profiles
Patents
Mailing Lists
    FAQ
    Netiquette
    Search ALL lists
    Search help
    Subscription info
Top Stories
Links
sHORTurl service
Tom Clothier's Archive
 Top Stories
Disease could hit Britain's trees hard

Ten of the best snowdrop cultivars

Plant protein database helps identify plant gene functions

Dendroclimatologists record history through trees

Potato beetle could be thwarted through gene manipulation

Hawaii expands coffee farm quarantine

Study explains flower petal loss

Unauthorized use of a plant doesn't invalidate it's patent

RSS story archive

Please Don't Open "Pictures" or "My Pictures" Attachments


Good point Mike,

Here is the message contained in the attachment.

I should of thought of this in the first place.

Dan
============================

Robin Friends,

In an effort to keep your computers free of harmful new viruses, I would
like
to make you aware that there are two variants of the Melissa virus known
as
W97M/Melissa.u and W97M/Melissa.v. It is important not to open any
attachments that bear the subjects, "Pictures" or "My Pictures." McAfee
presently rates each virus as a "moderate risk."  I have gathered some
of the
key information distributed by McAfee and have printed it below for you
to
look over. If you would like to review this subject further, you can
access McAfee at http://www.mcafee.com/centers/anti-virus/

You will also be able to read the latest on four other "moderate risk"
viruses on the McAfee site.

Ted White


Virus Profile

Virus Name
W97M/Melissa.u

Date Added
10/12/99

Virus Characteristics
This virus is a modified variant of the W97M/Melissa.a virus. There are
minor
changes which differentiate this from it's obvious clone parent. The
module
name is "Mmmmmmm" instead of "Melissa" however this virus does use MAPI
email
client to send a copy of itself to the first 4 available recipients in
the
address book. As with the first version of this virus, macro security
settings in Word2000 are minimized by a registry modification.

Email messages with this virus attached will arrive with the subject
line
"pictures " followed by the registered name used for the local
installation
of Word97 or Word2000 that the email was sent from. The body of the
message
is "what's up ?". After the local machine is infected and the email has
been
sent, this virus has a damaging payload which includes the deletion of
several system files. The deletion is made possible by first using the
installed ATTRIB tool to remove read-only, hidden and system attributes
to
files, then issuing a delete instruction on them. The following is a
list of
files attempted removed from computers which receive and execute this
virus:

c:\command.com
c:\io.sys
d:\command.com
d:\io.sys
c:\Ntdetect.com
c:\Suhdlog.dat
c:\Ntdetect.com     <- being zealous proves typos can happen even for
virus
writers
d:\Suhdlog.dat

Infected documents will have the following line of text inserted into
the
active document ">>>>>Please Check Outlook Inbox Mail<<<<<". It should
be
noted that the damaging payload will occur each time the infection
routine is
run, which in documents is during the system event of opening a
document. The
global template contains a subroutine named "Document_Close" while
documents
contain a routine named "Document_Open".

This virus can be detected by VirusScan engine v4.0.35 and DAT files of
at
least 4020 when using heuristic scanning method as "virus or variant of
W97M/Melissa.gen".





-------------------------------------------------------------------
-------------

Send This Virus Information To A Friend?


Friend?---------------------------------------------------------------
-----------------

Indications Of Infection
Macro warning if opening infected document, increase in size to global
template, confirmation of changes to NORMAL.DOT. Removal of system files
listed above; complaint by other users of receiving email from you with
the
above listed characteristics.


Method Of Infection
Opening infected documents will infect global template normal.dot.

EXTRA Drivers
VirusScan 4 with the 4.0.25 engine (and above) download here
Dr. Solomon's AVTK 7.95 and above download here


Virus Information
  Discovery Date: 10/8/99
  Type: Macro
  Prevalence: medium


Variants
Several

Aliases
W97M/Melissa.gen




--------------------------------------------------------------------
------------





Virus Profile

Virus Name
W97M/Melissa.v

Date Added
10/12/99

Virus Characteristics
This virus uses a single macro module named "MP" and infects the normal
template when opening an infected document.

In Word2000, the macro security level is set to the lowest setting,
allowing
macros to run. The infected document checks for a value in the registry
at
the location "HKEY_CURRENT_USER\Software\Microsoft\Office\" with a key
of
"mp?" and a value of "... by 22". If this does not exist, Outlook is
started
and an email message is created with the subject line "My Pictures" and
the
Word97 or Word2000 registered user name (i.e. John Doe). The infected
document is attached and no message body is given - this email is sent
to the
first 40 recipients in the available address book, which can include
distribution lists. After sending the email message, the registry is
modified
with the value above.

This virus also has a payload. After the infection routine, it then
attempts
to delete files and directories in the root of mapped drives with the
following letters sequentially in this order: "M:\", "N:\", "O:\",
"P:\",
"Q:\", "S:\", "F:\", "I:\", "X:\", "Z:\", "H:\", "L:\". The virus is not
subtle in announcing itself; a messagebox is shown with this message:
"Please
Check Your OutLook Inbox E-Mail !". After pressing 'OK' button, text is
then
inserted into the open document with the content: "Hint: Get Norton 2000
not
McAfee 4.02".

This virus can be detected by VirusScan engine v4.0.35 and DAT files of
at
least 4020 when using heuristic scanning method as "virus or variant of
W97M/Melissa.gen".



---------------------------------------------------------------------
To sign-off this list, send email to majordomo@mallorn.com with the
message text UNSUBSCRIBE HOSTA-OPEN





 © 1995-2015 Mallorn Computing, Inc.All Rights Reserved.
Our Privacy Statement
Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index