Email-Worm.Win32.Melare

Class Email-Worm
Platform Win32
Description

Technical Details

Melare is a worm virus spreading via the Internet as an e-mail attachment. The worm itself is a Windows PE EXE file about 6KB in length when compressed by UPX, the decompressed size is about 15KB. It is written in Visual Basic.

The worm activates from infected email only if a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG name. As a result the infected .EXE file is displayed as a .JPG image file (picture), though upon opening this attachment it is executed as true EXE file. When launched from MS Outlook 97 SP2 such attached files are blocked (in the default mode).

The worm then installs itself into the system, runs its spreading routine and payload.

Installation
While installing the worm copies itself to the Windows directory under the name csrss.EXE and registers this file in the system registry auto-run key:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
   SystemSARS32 = %WindowsDir%csrss.EXE

Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.

Infected messages have the following attributes:

The beginning of the message body text may be covered by a “JPG attach” icon.

Payload
On the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases this would be the Windows directory).