W97M/Melissa.O@mm
Analysis
- Virus consists of one macro module within the class
storage, which is renamed from "ThisDocument"
to "x"
- Virus hooks Word event handlers which prevents
the opening or closing of infected documents
- Virus checks registry entry
HKEY_CURRENT_USER\Software\Microsoft\Office\
"x?" = "y"If the value is not set, it runs the email routine which sends to first 100 contact entries in the Global address book of Outlook
- Email from infected users in this format-
Subject = "Duhalde Presidente "[Word User name]
Body = " Programa de gobierno 1999 - 2004."
Attachment = [an infected Word document file] -
Modifies the registry key as mentioned so the virus will not run the email routine again
- Email from infected users in this format-
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |