hort.net Seasonal photo, (c) 2006 Christopher P. Lindsey, All Rights Reserved: do not copy
articles | gallery of plants | blog | tech blog | plant profiles | patents | mailing lists | top stories | links | shorturl service | tom clothier's archive0
Gallery of Plants
Tech Blog
Plant Profiles
Mailing Lists
    Search ALL lists
    Search help
    Subscription info
Top Stories
sHORTurl service
Tom Clothier's Archive
 Top Stories
New Trillium species discovered

Disease could hit Britain's trees hard

Ten of the best snowdrop cultivars

Plant protein database helps identify plant gene functions

Dendroclimatologists record history through trees

Potato beetle could be thwarted through gene manipulation

Hawaii expands coffee farm quarantine

Study explains flower petal loss

RSS story archive

Fw: Please Don't Open "Pictures" or "My Pictures" Attachments

Here is a virus notice from a trusted source. It is safe to open the
attachment to this e-mail and I have done so myself.

I apologize for unsolicited advice on how to use your computer. I most
likely have started a long thread of virus postings, and I apologize for
this also.

If this turns out to be a farce, Kevin Walek is my trusted source.

If this turns out to be helpful advice, I will take all of the credit.

Here we go ...................

Dan Nelson
Bridgeville DE
zone 7

----- Original Message -----
From: <Giboshiman@aol.com>
To: <sussextreeinc@ce.net>; <drsnooks@buffnet.net>
Sent: Friday, October 15, 1999 8:17 PM
Subject: Fwd: Please Don't Open "Pictures" or "My Pictures" Attachments

Received this from my daylily list owner.  Thought you might want to
pass it

  • To: undisclosed-recipients:;
  • Subject: Please Don't Open "Pictures" or "My Pictures" Attachments
  • From: TedWhite1@aol.com
  • Date: Fri, 15 Oct 1999 19:34:24 EDT
  • Full-name: TedWhite1
Robin Friends,

In an effort to keep your computers free of harmful new viruses, I would like 
to make you aware that there are two variants of the Melissa virus known as 
W97M/Melissa.u and W97M/Melissa.v. It is important not to open any 
attachments that bear the subjects, "Pictures" or "My Pictures." McAfee 
presently rates each virus as a "moderate risk."  I have gathered some of the 
key information distributed by McAfee and have printed it below for you to 
look over. If you would like to review this subject further, you can
access McAfee at http://www.mcafee.com/centers/anti-virus/

You will also be able to read the latest on four other "moderate risk" 
viruses on the McAfee site.

Ted White
Virus Profile  
Virus Name

Date Added

Virus Characteristics
This virus is a modified variant of the W97M/Melissa.a virus. There are minor 
changes which differentiate this from it's obvious clone parent. The module 
name is "Mmmmmmm" instead of "Melissa" however this virus does use MAPI email 
client to send a copy of itself to the first 4 available recipients in the 
address book. As with the first version of this virus, macro security 
settings in Word2000 are minimized by a registry modification. 

Email messages with this virus attached will arrive with the subject line 
"pictures " followed by the registered name used for the local installation 
of Word97 or Word2000 that the email was sent from. The body of the message 
is "what's up ?". After the local machine is infected and the email has been 
sent, this virus has a damaging payload which includes the deletion of 
several system files. The deletion is made possible by first using the 
installed ATTRIB tool to remove read-only, hidden and system attributes to 
files, then issuing a delete instruction on them. The following is a list of 
files attempted removed from computers which receive and execute this virus: 

c:\Ntdetect.com     <- being zealous proves typos can happen even for virus 

Infected documents will have the following line of text inserted into the 
active document ">>>>>Please Check Outlook Inbox Mail<<<<<". It should be 
noted that the damaging payload will occur each time the infection routine is 
run, which in documents is during the system event of opening a document. The 
global template contains a subroutine named "Document_Close" while documents 
contain a routine named "Document_Open". 

This virus can be detected by VirusScan engine v4.0.35 and DAT files of at 
least 4020 when using heuristic scanning method as "virus or variant of 


Send This Virus Information To A Friend?


Indications Of Infection
Macro warning if opening infected document, increase in size to global 
template, confirmation of changes to NORMAL.DOT. Removal of system files 
listed above; complaint by other users of receiving email from you with the 
above listed characteristics. 

Method Of Infection
Opening infected documents will infect global template normal.dot. 

EXTRA Drivers 
VirusScan 4 with the 4.0.25 engine (and above) download here 
Dr. Solomon's AVTK 7.95 and above download here 

Virus Information
  Discovery Date: 10/8/99 
  Type: Macro 
  Prevalence: medium 



Virus Profile  
Virus Name

Date Added

Virus Characteristics
This virus uses a single macro module named "MP" and infects the normal 
template when opening an infected document. 

In Word2000, the macro security level is set to the lowest setting, allowing 
macros to run. The infected document checks for a value in the registry at 
the location "HKEY_CURRENT_USER\Software\Microsoft\Office\" with a key of 
"mp?" and a value of "... by 22". If this does not exist, Outlook is started 
and an email message is created with the subject line "My Pictures" and the 
Word97 or Word2000 registered user name (i.e. John Doe). The infected 
document is attached and no message body is given - this email is sent to the 
first 40 recipients in the available address book, which can include 
distribution lists. After sending the email message, the registry is modified 
with the value above. 

This virus also has a payload. After the infection routine, it then attempts 
to delete files and directories in the root of mapped drives with the 
following letters sequentially in this order: "M:\", "N:\", "O:\", "P:\", 
"Q:\", "S:\", "F:\", "I:\", "X:\", "Z:\", "H:\", "L:\". The virus is not 
subtle in announcing itself; a messagebox is shown with this message: "Please 
Check Your OutLook Inbox E-Mail !". After pressing 'OK' button, text is then 
inserted into the open document with the content: "Hint: Get Norton 2000 not 
McAfee 4.02". 

This virus can be detected by VirusScan engine v4.0.35 and DAT files of at 
least 4020 when using heuristic scanning method as "virus or variant of 

 © 1995-2017 Mallorn Computing, Inc.All Rights Reserved.
Our Privacy Statement
Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index