Melissa spawns deadly offspring

The Melissa virus continues to be the virus that will not die, as two new, much more destructive Melissa variants have been discovered and are spreading across the world via e-mail.

As predicted by security experts when the original Melissa virus outbreak occurred in March, virus writers have co-opted Melissa's code to create similar but different viruses which have been let loose upon networks.

The latest variants, Melissa.U and Melissa.V, propagate themselves in a similar fashion to the original Melissa, but now carry a potentially disastrous payload, according to anti-virus security vendor Network Associates.

Both variants are engineered so as to appear to have been sent from a friend, and include the subject line "pictures" in the case of Melissa.U, and "My Pictures" in the case of Melissa.V. In both cases, the sender's registered Microsoft Word 97 or Word 2000 username, if available, will follow in the subject line. The body of the e-mail message will read, "what's up?" in the case of Melissa.U, and will be blank in the case of Melissa.V.

If activated, Melissa.U will invoke a Messaging API (MAPI) e-mail client and send itself to the first four e-mail addresses in the address book, which often include distribution lists. It will then attempt to delete the following system files: c:\command.com, c:\io.sys, d:\command.com, d:\io.sys, c:\Ntdetect.com, c:\Suhdlog.dat, and d:\Suhdlog.dat, which are necessary when booting up a computer.

"These files are needed in order to load your machine," said Jimmy Kuo, director of anti-virus research at Network Associates. "So after the virus runs on your machine, you can no longer boot it up."

Melissa.V also invokes a MAPI client, sending itself to the first 40 addresses in the Address Book. It then attempts to delete files and directories in shared drives, but will not affect the client machine.

"Because it's deleting files from network drives, it doesn't do anything to the client machine," Kuo said. "If the infected machine is linked to another machine's C: drive, it could delete that machines root directory and prevent the other machine from booting up, but won't do anything to that machine itself."

Although the subject line claims the message includes "pictures," the attachment is actually an infected Word document. When the Word document is opened on an uninfected machine, the virus will infect Word's global template, NORMAL.DOT, infecting all future Word documents. On occasion in the case of Melissa.U, infected documents will have the message "Please Check Outlook Inbox Mail" inserted into them; in the case of Melissa.V, a pop-up message box containing the text "Please Check Your Outlook Inbox E-mail!" will appear, according to Network Associates.

Melissa.U is the more prevalent of the two variants. It is believed to have originated in Europe, but is now spreading to the United States and Australia, and "because of it's effect, it's very noticeable," Kuo said.

However, because many users and administrators made extra efforts to protect against Melissa when the original attack occurred, the spread of Melissa.U and Melissa.V has been much less rampant, but security vendors recommend -- as always -- that users update their DAT files to protect against the new variants.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Nelson

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?