What
is the Melissa.AUWorm?
Melissa.AU is a minor variant of the Melissa
virus. It is a Microsoft Word 97/2000 macro virus
that has a payload to email itself using
Microsoft Outlook.
Also known as: Elecciones2000 Worm
How
Does Melissa.AU Worm Infect My System?
This is a typical macro virus for Word 97/2000
document templates. It infects Word 97 and Word
2000 documents by adding a new VBA5 (macro)
module named Abril9_1.
This virus disables macro warnings and turns off
the security protection upon opening an infected
document in Word 2000. This disables Word 2000
macro prompts the next time the document is
opened.
This virus contains references to a presidential
election scheduled for April 9, 2000 in Peru.
When a user opens or closes an infected document,
the virus checks to see if it has done this mass
emailing before, by checking the following
registry key value:
"HKEY_CURRENT_USER\Software\Microsoft\Office\"
"Elecciones2000" = "Pacocha :-P"
If this key does not have a value of Pacocha
:-P, the virus uses MAPI calls to fetch the
user's profile. A new email message is created in
Outlook with an attached infected document. The
subject of the email is decided using the
following criteria: If the month is January
through April and the day is the 1st through the
9th, the subject line is "Elecciones 2000: ultima
encuesta Apoyo!" Any other time, it is "Urgente:
Confirmar!"
Hiding its activity
This macro virus tries to hide its activity by
disabling the following menu items:
- Tools > Macro in Word 97: By disabling this
menu command, the virus prevents any user from
listing the macro/VBA module to manually check
for infection.
- Macro > Security in Word 2000: By disabling
this menu command, it prevents the user from
changing the security level.
To hide its infection activity, it also
disables the following options in MS Word 97:
- Prompt to save Normal template
- Confirm conversion at Open
- Macro virus protection
With these options disabled, Word 97 does not
warn or prompt while saving Normal.dot or while
opening a document that contains macros.
How
to Remove the Melissa.AU Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Melissa.AU during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Melissa.AU worm.
The virus turns off the macro virus
protection feature of Word 97. This can be
re-enabled by selecting Tools > Options > General
> Macro Virus Protection.
The options and menu commands that are altered by
the virus can be restored by deleting the
Normal.dot file. Word automatically creates a new
Normal.dot file when it is launched.
- Using Regedit or Norton Registry Editor, go
to HKEY_CURRENT_USER\Software\Microsoft\Office\.
- Right-click Elecciones2000 and
click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other Worms
- 'M':
| 
