Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Melissa.A

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 09 Apr 2000 03:00:00
Description updated 15 Nov 2001 04:58:00
Malware type VIRUS
Alias
Spreading mechanism EMAIL
Summary None

W97M/Melissa.A

Spreading

The W97M/Melissa virus replicates under MS Word 8 and MS Word 9 (MS Office97 and MS Office2000). W97M/Melissa will start to disable certain settings. If Melissa detects that Word 9.0 is installed, it will disable the Macro-Security menu and set the Security-level in Word to Low, otherwise, it will disable the Tools-Macro menu and then disables the following Word 8.0 options:



ConfirmConversions Virusprotection SaveNormalPromp Melissa next checks the value of the registry string:

HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by Kwyjibo"

If this entry does not exist, the virus will try to create an MS Outlook session and send copies of the infected document to the first 50 people from each of your Outlook address books, and then sets the Registry key.

Otherwise the virus jump over the email routine. As a results the virus sends infected email messages only once.

W97M/Melissa use MS Outlook, not MS Outlook Express, to send out infected documents.

After sending itself to addresses in you address books, the virus checks to see if it is running on a document or Normal.dot template. If it is running on a document, it infects the Normal.dot template and vica versa.

After Normal.dot template is infected, every documents you work on will be infected as soon as you close.

Payload Details

If the minute of the hour equals the day of the month, the virus insert the following message at the current cursor location in the active document:"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15