Virus Characteristics
This is a variant of the W97M/Melissa family with a very dangerous payload. This is a worm in that it does not infect the local host system. It spreads by email on opening of the document. It will arrive by Outlook email with the following format:
---------------begin copy of email--------
Subject: Resume - Janet Simons
To: Director of Sales/Marketing,
Attached is my resume with a list of references contained within.
Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.
Sincerely,
Janet Simons.
«Explorer.doc»
-----------------end copy of email--------
If the file EXPLORER.DOC is opened, it will forward an email all entries in all available address books.
As if this wasn't enough, this trojan will wait for the user to close the document before continuing with a more damaging payload.
On closing the document, this trojan will perform the following actions against the victim:
* try to copy itself as
"C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc"
* try to copy itself as "C:\Data\Normal.dot"
* try to delete all files in the following directories and drives in this order, making the system unusable if this occurs:
"C:\*.*"
"C:\My Documents\*.*"
"C:\WINDOWS\*.*"
"C:\WINDOWS\SYSTEM\*.*"
"C:\WINNT\*.*"
"C:\WINNT\SYSTEM32\*.*"
"A:\*.*" [may cause an error message]
"B:\*.*" [may cause an error message]
and *.* in the root of drives D: thru Z:
At the beginning of the virus code, the following comments exist but are never displayed:
'-----------------------------------------------------'
'Better You Than Me Buddy...
'... Hope You Like My vIrUs
' :)
' :(
'-----------------------------------------------------'