[COMP] NORTON'S, ANOTHER VIRUS..MELISSA.AA

• From: CRAZYDOVE@xxxxxxx
• To: CRAZYDOVE@xxxxxxx
• Date: Thu, 2 Dec 1999 17:44:27 EST

**NORTON ANTIVIRUS EMERGENCY NEWS BULLETIN #2**

December 1, 1999
_____________________________

WARNING! Another new virus has surfaced on the Internet!

W97M.Melissa.AA is a new version of the Melissa virus released
earlier in 1999.

 ** THIS VIRUS SHOULD BE CONSIDERED DANGEROUS! **

You can protect yourself against this virus by updating your virus
definitions. Simply run LiveUpdate, or download the definitions from

http://www.symantec.com/avcenter.

The same update will protect you from the new Worm.ExploreZip(pack)
variant also.

MANUAL REPAIR NOTES

The additional Windows Registry value presents no harm. In fact, if
it's already set to "y", it will prevent the mass emailing. If you'd
like, you can easily remove this registry value using Windows REGEDIT
utility. You may also safely remove the registry key with the same
value name "x" and value data "y" from:

   HKEY_USERS\.Default\Software\Microsoft\Office\

DESCRIPTION

W97M.Melissa.AA is a modified variant of the W97M.Melissa.A virus.
Norton AntiVirus was capable of detecting this new variant of the
Melissa virus with its heuristic technology called Bloodhound. When
unknown macro viruses are detected by Bloodhound, the virus will be
called 'Bloodhound.WordMacro' by Norton AntiVirus. By using the most
recent virus definitions, Norton AntiVirus will detect it as a known
virus and identify it as 'W97M.Melissa.AA'.

In future virus definitions, Norton AntiVirus will be renaming the
W97M.Melissa.AA to W97M.Melissa.O.

The key changes made from the original W97M.Melissa.A virus are:

 - The virus module name (now called "x")
 - The email subject/message
 - A malicious payload which deletes some text from the active
document

Please refer to the W97M.Melissa.A write-up for more general
information on the Melissa virus at

http://www.symantec.com/avcenter.

PAYLOAD

As its primary payload, the virus will attempt to use Microsoft
Outlook to e-mail a copy of the infected document to as many as 100
people. When a user opens or closes an infected document, the virus
first checks to see if it has done this e-mailing once before by
checking the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\

If this key has a value name "x" and value data "y" then the e-
mailing has been done previously from the current machine. The virus
will not attempt to do the mass mailing a second time from the
current machine. If it does not find the registry entry, it will do
the email payload similar to W97M.Melissa.A. The difference is that
it sends to up to 100 addresses, and the subject line is:

    Duhalde Presidente USERNAME

where USERNAME is taken from the MS Word setting, and the email
message is:

   Programa de gobierno 1999 - 2004.

The second payload is triggered when Day(Now) +1 = Minute(Now)+2 and
replaces the currently selected text of the document with a single
space.
========================================
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to http://avenir.dhs.org/mailing.html
List Archives: http://avenir.dhs.org/archives/
Administrative Contact: webmaster@xxxxxxxxxxxxxx

Get computer help: http://avenir.dhs.org
========================================

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription