Fw: Please Don't Open "Pictures" or "My Pictures" Attachments
- To: "Hosta"
- Subject: Fw: Please Don't Open "Pictures" or "My Pictures" Attachments
- From: D* N*
- Date: Fri, 15 Oct 1999 20:33:51 -0400
Here is a virus notice from a trusted source. It is safe to open the
attachment to this e-mail and I have done so myself.
I apologize for unsolicited advice on how to use your computer. I most
likely have started a long thread of virus postings, and I apologize for
this also.
If this turns out to be a farce, Kevin Walek is my trusted source.
If this turns out to be helpful advice, I will take all of the credit.
Here we go ...................
Dan Nelson
Bridgeville DE
zone 7
SussexTreeInc@ce.net
----- Original Message -----
From: <Giboshiman@aol.com>
To: <sussextreeinc@ce.net>; <drsnooks@buffnet.net>
Sent: Friday, October 15, 1999 8:17 PM
Subject: Fwd: Please Don't Open "Pictures" or "My Pictures" Attachments
Received this from my daylily list owner. Thought you might want to
pass it
on!
- To: undisclosed-recipients:;
- Subject: Please Don't Open "Pictures" or "My Pictures" Attachments
- From: T*@aol.com
- Date: Fri, 15 Oct 1999 19:34:24 EDT
- Full-name: TedWhite1
Robin Friends,
In an effort to keep your computers free of harmful new viruses, I would like
to make you aware that there are two variants of the Melissa virus known as
W97M/Melissa.u and W97M/Melissa.v. It is important not to open any
attachments that bear the subjects, "Pictures" or "My Pictures." McAfee
presently rates each virus as a "moderate risk." I have gathered some of the
key information distributed by McAfee and have printed it below for you to
look over. If you would like to review this subject further, you can
access McAfee at http://www.mcafee.com/centers/anti-virus/
You will also be able to read the latest on four other "moderate risk"
viruses on the McAfee site.
Ted White
Virus Profile
Virus Name
W97M/Melissa.u
Date Added
10/12/99
Virus Characteristics
This virus is a modified variant of the W97M/Melissa.a virus. There are minor
changes which differentiate this from it's obvious clone parent. The module
name is "Mmmmmmm" instead of "Melissa" however this virus does use MAPI email
client to send a copy of itself to the first 4 available recipients in the
address book. As with the first version of this virus, macro security
settings in Word2000 are minimized by a registry modification.
Email messages with this virus attached will arrive with the subject line
"pictures " followed by the registered name used for the local installation
of Word97 or Word2000 that the email was sent from. The body of the message
is "what's up ?". After the local machine is infected and the email has been
sent, this virus has a damaging payload which includes the deletion of
several system files. The deletion is made possible by first using the
installed ATTRIB tool to remove read-only, hidden and system attributes to
files, then issuing a delete instruction on them. The following is a list of
files attempted removed from computers which receive and execute this virus:
c:\command.com
c:\io.sys
d:\command.com
d:\io.sys
c:\Ntdetect.com
c:\Suhdlog.dat
c:\Ntdetect.com <- being zealous proves typos can happen even for virus
writers
d:\Suhdlog.dat
Infected documents will have the following line of text inserted into the
active document ">>>>>Please Check Outlook Inbox Mail<<<<<". It should be
noted that the damaging payload will occur each time the infection routine is
run, which in documents is during the system event of opening a document. The
global template contains a subroutine named "Document_Close" while documents
contain a routine named "Document_Open".
This virus can be detected by VirusScan engine v4.0.35 and DAT files of at
least 4020 when using heuristic scanning method as "virus or variant of
W97M/Melissa.gen".
--------------------------------------------------------------------------------
Send This Virus Information To A Friend?
Friend?--------------------------------------------------------------------------------
Indications Of Infection
Macro warning if opening infected document, increase in size to global
template, confirmation of changes to NORMAL.DOT. Removal of system files
listed above; complaint by other users of receiving email from you with the
above listed characteristics.
Method Of Infection
Opening infected documents will infect global template normal.dot.
EXTRA Drivers
VirusScan 4 with the 4.0.25 engine (and above) download here
Dr. Solomon's AVTK 7.95 and above download here
Virus Information
Discovery Date: 10/8/99
Type: Macro
Prevalence: medium
Variants
Several
Aliases
W97M/Melissa.gen
--------------------------------------------------------------------------------
Virus Profile
Virus Name
W97M/Melissa.v
Date Added
10/12/99
Virus Characteristics
This virus uses a single macro module named "MP" and infects the normal
template when opening an infected document.
In Word2000, the macro security level is set to the lowest setting, allowing
macros to run. The infected document checks for a value in the registry at
the location "HKEY_CURRENT_USER\Software\Microsoft\Office\" with a key of
"mp?" and a value of "... by 22". If this does not exist, Outlook is started
and an email message is created with the subject line "My Pictures" and the
Word97 or Word2000 registered user name (i.e. John Doe). The infected
document is attached and no message body is given - this email is sent to the
first 40 recipients in the available address book, which can include
distribution lists. After sending the email message, the registry is modified
with the value above.
This virus also has a payload. After the infection routine, it then attempts
to delete files and directories in the root of mapped drives with the
following letters sequentially in this order: "M:\", "N:\", "O:\", "P:\",
"Q:\", "S:\", "F:\", "I:\", "X:\", "Z:\", "H:\", "L:\". The virus is not
subtle in announcing itself; a messagebox is shown with this message: "Please
Check Your OutLook Inbox E-Mail !". After pressing 'OK' button, text is then
inserted into the open document with the content: "Hint: Get Norton 2000 not
McAfee 4.02".
This virus can be detected by VirusScan engine v4.0.35 and DAT files of at
least 4020 when using heuristic scanning method as "virus or variant of
W97M/Melissa.gen".
