Some of the contents of the pages on this site are Copyright © 2016 NJH Music
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Genuine Virus Alert
- To: "brass mailing list" <brass-band@xxxxxxxxxxxxxxxxxx>
- Subject: Genuine Virus Alert
- From: colin.amos@xxxxxxxxx (colin.amos@xxxxxxxxx)
- Date: Tue, 30 Mar 1999 08:57:55 +0100
- Importance: Normal
- Priority: low
- Reply-to: brass-band@xxxxxxxxxxxxxxxxxx
Hi folks, Having been guilty of passing on the odd hoax, with every good intent I assure you, I have had the following virus alert checked out. Yes, it is genuine so watch out for it. Colin Bristol East Band **************************************************************** A genuine Virus Warning - from the NAI/McAfee/Solomon's home page W97M/Melissa Melissa is a Word 97 Class Module Macro virus that can also be upconverted to a Word 2000 Macro Virus. It was first discovered by NAI's Dr Solomon's VirusPatrol on the alt.sex newsgroup on March 26. The virus has spread rapidly around the world, and has infected thousands Symptom The virus can infect a system by being received from another infected user via Outlook. This appears to be the most common method of infection. Users will not know they have been infected, nor will the sender know the document has been sent. A user may become alerted to the infected document if the Macro Security settings are enabled. This warning will be displayed to the user when the document is opened. Pathology When the infected document is opened, the virus checks for a setting in the registry to test if the system has already been infected. If the system hasn't been infected, the virus creates an entry in the registry: HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by Kwyjibo" (If this key exists the email process will not execute, the virus will still infect. AVERT advises that it not be removed.) (As a preventive message you can create this registry key to prevent the virus from launching) This virus also creates an Outlook object using Visual Basic instructions and reads the list of members from Outlook Global Address Book. An email message is created and sent to the first 50 recipients programatically all the address books, one at a time. The message is created with the subject "Important Message From - <User Name>" The message body of text reads "Here is that document you asked for ... don't show anyone else ;-)". The active infected document is attached and the email is sent. The most prevalent document being seen is one called List.DOC, however this is NOT the only document that can be sent or received. Once the system is infected all documents that are opened are infected. As any document can be sent, a user that receives the infected document, who hasn't been infected, can become infected with this document, and the process will continue. The virus does have a payload. If the day equals the minute value, and the infected document is opened this text is inserted at the current cursor position: " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." This virus checks for low security in Office2000 by checking the value from the registry; if the value HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level" is not null, the virus will disable the "MACRO/SECURITY" menu option. Otherwise Word97 menu option "TOOLS/MACRO" is disabled. Comments inside the macro virus include: 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! Cure For detection and cleaning, use the following combinations ONLY! VirusScan 3 requires engine 3.2.2 + hourly .DAT ftp://ftp.nai.com/pub/antivirus/engine/eng322sp.zip http://www.avertlabs.com/public/datafiles/3xupdates.asp VirusScan 4.0.x + 4019 .DAT http://www.avertlabs.com/public/datafiles/extra_drivers.asp Toolkit 7 requires engine Special Edition 7.93 + extra.drv http://www.avertlabs.com/public/datafiles/7xupdates.asp http://www.avertlabs.com/public/datafiles/extra_drivers.asp (c) 1998, Network Associates, Inc. and its affiliated Companies. All Rights Reserved. ****************************************************************** -- unsubscribe or receive the list in digest form, mail a message of 'help' to
- Prev by Date: McMaster Low Brass Workshops
- Next by Date: Re: Can I introduce myself and try again?
- Previous by thread: Re: Holst Planets
- Next by thread: Re: Genuine Virus Alert
- Index(es):