Virus.MSWord.Melissa-based

Class Virus
Platform MSWord
Description

Technical Details


This macro virus is another “Melissa” clone. It infects
MS Word document and templates, and sends its copies in e-mail messages
using an MS Outlook application. The virus is an extremely fast infector: its
e-mail spreading routine may send many infected documents to different e-mail
addresses when the virus installs itself into the system. The virus also
has a trigger routine, changes the system registry, and disables Word macro-virus
protection.


To send its copies in e-mail messages, the virus uses VisualBasic abilities
to activate other Microsoft applications and use their routines: the virus
gets access to MS Outlook and calls its functions. The virus gets the
addresses from the Outlook database and sends to them a new message. This
massage has:



The subject:
“Fun and games from [UserName]” (UserName is variable)



Message body:
“Hi! Check out this neat doc I found on the Internet!”



The message also has an attached document (needless to say that it is
infected) – the virus attaches the document that is being edited now
(active document). As a side effect of this way of spreading, the user’s
documents (including confidential ones) can be sent out to the Internet.



The virus can send many messages: it scans the Outlook AddressBook
(address database), opens each list in it and sends up to 69 messages to
addresses from each one. If a list has less than 69 entries (e-mail
addresses), all of them are infected. The virus sends one message per each
list, and the TO: field in the message contains all addresses from this list
(up to 69), and can be rejected by anti-spam filters.
In addition, it sends another message to address “Project1@nym.alias.net”
This massage has:



The subject:
“Guess whos infected: [UserName]” (UserName is variable)



Message body:
“infected!”



This message also has an attached document that is being edited now.



The virus sends infected e-mails only one time. Before sending, the virus
checks the system registry for its ID stamp:


HKEY_CURRENT_USERSoftwareMicrosoftOfficeP1 = “Syndicate”


If this entry does not exist, the virus sends e-mails from an infected
computer, and then creates this entry in the registry. Otherwise, the virus
jumps over the e-mail routine. As a result, the virus sends infected e-mail
messages only once: on the next attempt, it locates the “P1=” entry, and
skips it.



The virus is able to spread to Office2000 (Word ver.9) documents. This
possibility is based on an Office “convertation” feature. When new a Office
version opens and loads documents and templates created by previous Word
versions, it converts data in documents to new formats. The macro-program
in files is also converted, including the virus macros. As a result, the virus
is able to replicate itself under Office2000.



The virus code contains one module with one auto-function in
“Document_Close”. The virus infects the global macros area upon infected-document closing, and spreads to other documents upon their closing. To infect
documents and templates, the virus copies its code from an infected object to
a victim one.



The virus has the comments:


W97M/Project1 by Patient Zero -(The Syndicate)- circa 1999
The Syndicate: underground to the underground.
Greets to Kwyjibo and the CodeBreakers: Hey, dont we know each other? 😉