Products
- Cross Device
- PC & Mac
- Mobile/Tablet
- Other Services
  - McAfee Virus Removal Service
  - View All
- Free Tools
Virus Information
Security Advice
Support
Free Trials

Virus Profile: VBA/Generic.src

Threat Search

Virus Profile information details
Risk Assessment:	Home Medium \| Corporate Medium
Date Discovered:	1/1/0001
Date Added:	9/30/2002
Origin:	N/A
Length:	varies
Type:	Virus
Subtype:	MS Office Suite
DAT Required:	N/A
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Typically, if a temporary file is used by a macro virus, it would be found in the root directory, with a name like c:\class.sys.

Methods of Infection

Sources do not infect on their own. They are either inserted into other files by a macro virus already infecting the system, or they are inserted manually into other Office documents.

View Virus Characteristics

Virus Family Statistics (over the past 30 days)

Family Statistics information
Virus Name	Infected Files	Scanned Files	% Infected Computers
VBA/Generic.src	988	11064989	0.00

Virus Characteristics

-------Updated on 29th June 2012---------

Aliases

Microsoft - Virus:VBS/Melissa.A
Kaspersky - Virus.MSWord.Melissa
Ikarus - Virus.MSWord.Melissa.BC
Symantec - Macro.src

This virus executes when a Word97\word2000 document is opened. It begins infection by displaying the message "Have A Nice Day".

It also checks for the "Level" value in the 'HKCU\Software\Microsoft\Office\9.0\Word\Security' key. If it exists, the virus changes the value to 1 (the lowest setting-disable macro security), but if it does not exist, the virus disables the "Tools>Macro" menu item, the SaveNormal prompt, the ConfirmConversions prompt, and the macro warning dialog.

If outlook is installed on the system, the virus will create a new mail message and send it to every address (if the count is less than 50, if not it will only send it to the first 50) in every address list. The subject being "Important Message From " & the Application.UserName. The body of the message contains "Here is that document you asked for ... don't show anyone else ;-)".

The virus checks for infection by counting the lines in the module with index 1in the GlobalTemplate and the ActiveDocument. If the modules name is not "Melissa", the virus will remove all lines from the module. It then sets a destination pointer as appropriate. If both the GlobalTemplate and the ActiveDocument are infected, the virus will skip the infection routine.

If infecting the GlobalTemplate, the virus replaces all code within by inserting its viral code into the Document_Close subroutine. The virus infects the Active_Document in the same manner. It then saves the Active_Document.If the day is equal to the minute, the virus types "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." at the current cursor location.

--------------------------------------------------------------------------------------------------------------------------------------

This is a generic detection for the source to a VBA macro virus (Word, Excel, PowerPoint, etc). The source code is not an active virus, but some macro viruses store their source code in a temporary file when transferring their code from one file to another, and this temporary file would be detected as VBA/Generic.src.

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

View Virus Characteristics