W97M/Melissa.A@mm
Analysis
- Virus consists of one macro module within the class
storage, which is renamed from "ThisDocument"
to "Melissa"
- Virus hooks Word event handlers which prevents
the opening or closing of infected documents
- Virus checks registry entry
HKEY_CURRENT_USER\Software\Microsoft\Office\
"Melissa?" = "... by Kwyjibo"If the value is not set, runs the email routine which sends to first 50 contact entries in the Global address book of Outlook
- Email from infected users in this format-
Subject = "Important Message From "[Word User name]
Body = "Here is that document you asked for ... don't show anyone else ;-)"
Attachment = [an infected Word document file] -
Modifies the registry key as mentioned so the virus will not run the email routine again
-
Virus contains these comment lines at the end of the code-
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |