Melare is a worm virus spreading via the Internet as an e-mail attachment. The worm itself is a Windows PE EXE file about 6KB in length when compressed by UPX, the decompressed size is about 15KB. It is written in Visual Basic.
The worm activates from infected email only if a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG name. As a result the infected .EXE file is displayed as a .JPG image file (picture), though upon opening this attachment it is executed as true EXE file. When launched from MS Outlook 97 SP2 such attached files are blocked (in the default mode).
The worm then installs itself into the system, runs its spreading routine and payload.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SystemSARS32 = %WindowsDir%csrss.EXE
Infected messages have the following attributes:
The beginning of the message body text may be covered by a “JPG attach” icon.