Melissa spawns deadly offspring

The Melissa virus continues to be the virus that will not die, as two new, much more destructive Melissa variants have been discovered and are spreading across the world via e-mail.

As predicted by security experts when the original Melissa virus outbreak occurred in March, virus writers have co-opted Melissa's code to create similar but different viruses which have been loosed upon networks.

The latest variants, Melissa.U and Melissa.V, propagate themselves in a similar fashion to the original Melissa, but now carry a potentially disastrous payload, according to antivirus security vendor Network Associates.

Both variants are engineered so as to appear to have been sent from a friend, and include the subject line "pictures" in the case of Melissa.U, and "My Pictures" in the case of Melissa.V. In both cases, the sender's registered Microsoft Word 97 or Word 2000 username, if available, will follow in the subject line. The body of the e-mail message will read, "what's up?" in the case of Melissa.U, and will be blank in the case of Melissa.V.

If activated, Melissa.U will invoke a Messaging API (MAPI) e-mail client and send itself to the first four e-mail addresses in the address book, which often include distribution lists. It will then attempt to delete the following system files: c:\command.com, c:\io.sys, d:\command.com, d:\io.sys, c:\Ntdetect.com, c:\Suhdlog.dat, and d:\Suhdlog.dat, which are necessary when booting up a computer.

"These files are needed in order to load your machine," said Jimmy Kuo, director of antivirus research at Network Associates. "So after the virus runs on your machine, you can no longer boot it up."

Melissa.V also invokes a MAPI client, sending itself to the first 40 addresses in the Address Book. It then attempts to delete files and directories in shared drives, but will not affect the client machine.

"Because it's deleting files from network drives, it doesn't do anything to the client machine," Kuo said. "If the infected machine is linked to another machine's C: drive, it could delete that machines root directory and prevent the other machine from booting up, but won't do anything to that machine itself."

Although the subject line claims the message includes "pictures", the attachment is actually an infected Word document. When the Word document is opened on an uninfected machine, the virus will infect Word's global template, NORMAL.DOT, infecting all future Word documents. On occasion in the case of Melissa.U, infected documents will have the message "Please Check Outlook Inbox Mail" inserted into them; in the case of Melissa.V, a pop-up message box containing the text "Please Check Your Outlook Inbox E-mail!" will appear, according to Network Associates.

Melissa.U is the more prevalent of the two variants. It is believed to have originated in Europe, but is now spreading to the United States and Australia, and "because of it's effect, it's very noticeable", Kuo said.

However, because many users and administrators made extra efforts to protect against Melissa when the original attack occurred, the spread of Melissa.U and Melissa.V has been much less rampant, but security vendors recommend -- as always -- that users update their DAT files to protect against the new variants.

Network Associates is at on the Web at http://www.nai.com/

Join the newsletter!

Error: Please check your email address.

More about MicrosoftNAI

Show Comments

Market Place