Home / malwarePDF  

Virus:O97M/Melissa.BU


First posted on 13 September 2017.
Source: Microsoft

Aliases :

There are no other names known for Virus:O97M/Melissa.BU.

Explanation :

Installation
This worm spreads through: File infection
Infected documents residing in a class module called Empirical, carry the virus. When an infected document is open, and the virus identifies the environment as Word 9.0, it removes the menu option 'Macro\Security' from the toolbar and enables all macros by changing the security settings in the registry: In subkey: HKCU \Software\Microsoft\Office\9.0\Word\Security
Sets value: "Level"
With data: 1 If the virus is running in Word 8, it removes the menu option 'Tools\Macro' from the toolbar, and disables the following three security-related features:

  • built-in macro protection
  • warning about modifications to the Normal template
  • format conversion confirmation


Then the virus infects the Normal template. It checks if the first class module is not called Empirical, then it removes any code from that module, replacing it with the virus code. If the virus runs from an infected Normal template, the virus uses the same method to infect the active document.

Email
Next, the worm attempts to send itself out as an email attachment. The virus checks the Outlook address lists and collects up to 50 email addresses from each list. It constructs the following emails, chooses randomly what to send with the following subject and body:
Subject = "Question for you..."
Body = "It's fairly complicated so I've attached it." Subject = "Check this!!"
Body = "This is some wicked stuff!" Subject = "Cool Web Sites"
Body = "Check out the Attached Document for a list of some of the best Sites on the Web" Subject = "80mb Free Web Space!"
Body = "Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room." Subject = "Cheap Software"
Body = "The attached document contains a list of web sites where you can obtain Cheap Software" Subject = " Cheap Hardware"
Body = " I've attached a list of web sites where you can obtain Cheap Hardware" Subject = "Free Music"
Body = " Here is a list of places where you can obtain Free Music."

Subject = " Free Downloads"
Body = " Here is a list of sites where you can obtain Free Downloads."

Other payload
If Minute(Now) = Hour(Now), then it will type the message " All empires fall, you just have to know where to push." on the opened document.

Last update 13 September 2017

 

TOP

Malware :

Family: