VirusW97M/Melissa.O@mm
Analysis
- Virus consists of one macro module within the class
storage, which is renamed from "ThisDocument"
to "x"
- Virus hooks Word event handlers which prevents
the opening or closing of infected documents
- Virus checks registry entry
HKEY_CURRENT_USER\Software\Microsoft\Office\
"x?" = "y"If the value is not set, it runs the email routine which sends to first 100 contact entries in the Global address book of Outlook
- Email from infected users in this format-
Subject = "Duhalde Presidente "[Word User name]
Body = " Programa de gobierno 1999 - 2004."
Attachment = [an infected Word document file] -
Modifies the registry key as mentioned so the virus will not run the email routine again
- Email from infected users in this format-
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |