IJMC Melissa, Meet Your Ugly Twin, Prilissa

           IJMC - Melissa, Meet Your Ugly Twin, Prilissa

You had to figure it would return. Mutated and twisted and uglier than 
your third cousin at the family reunion...Melissa returns for another 
tromp through the virus scanners. So, watch out, be careful, switch to 
Lotus or some other real Office suite...dump that bloated excuse for an 
email client, Outlook...or, make sure your mouse wears protection when 
you surf and email. Prilissa is here and she wants to dance with your 
hard drive. Be safe...or have a good backup.                      -dave




We just received a notice about a new virus discovered on 11/17/99.  We
wanted to make it known to you, our friends, so that you too can be on the
lookout for it and protect your system.  Keeping each other informed is
one of the first steps in stopping the sick people who create these
virus'.  Go to your own personal virus protection company for more
information. 


  KEY WORDS TO WATCH FOR:
  Subject line "Message From " (Office97 UserName) and a message body of
  "This document is very Important and  you've GOT to read this !!!".

  SITES WITH MORE INFORMATION:
  http://vil.nai.com/vil/vm10441.asp
  http://www.mcafee.com

  VIRUS INFORMATION:
                    Virus Name
                    W97M/Prilissa

                    Date Added
                    11/17/99

                    Virus Characteristics

This is a virus for Word 97 documents. It is able to replicate under the
SR-1 release of Word 97. It will turn off the macro warning feature of
Word 97. This virus uses the "ThisDocument" stream, or class module, of a
document or template during infection routine. It is a copy-cat of the
W97M/Melissa.a virus and there is a payload to send the infected file via
MS Outlook. Another payload exists for this virus which is date activated
- December 25th - to reformat the hard drive (on Windows 9x systems) and
also overlay the active document with random shapes. Due to this overlay
activation which is a copied technique of the W97M/Pri virus, the name is
a combination of W97M/Melissa and W97M/Pri, hence W97M/Prilissa. 

  This virus hooks the system event of opening documents
  in Word97 by the subroutine "Document_Open" thereby running its code.
  Another system event hooked is the closing of documents due to the
  subroutine "Document_Close" in the global template after infection.

  This virus checks for the existence of a registry key, a
  self-check to verify if the local system has already been infected. The
  key is:

                    "HKEY_CURRENT_USER\Software\Microsoft\Office\"
  "CyberNET"="(C)1999 - Indonesia by AnomOke!"

If this key is not found, the virus code uses VBA instructions to create a
MS Outlook email message with the subject line "Message From " (Office97
UserName) and a message body of "This document is very Important and
you've GOT to read this !!!". The first 50 listings from all available
address books are selected as the recipient - the message is then sent
with an attachment of the infected document. 

  Lastly, the virus code creates the registry key.

If this key does exist, the email propagation is not repeated.

If the date is December 25th (any year), the virus runs a destructive
payload to overwrite the existing C:\AUTOEXEC.BAT file with the following
instructions: 

                    "@echo off"
                    "@echo Vine...Vide...Vice...Moslem Power Never End."
                    "@echo Your Computer Have Just Been Terminated By
                    -= CyberNET =- Virus !!!"
                    "ctty nul"
                    "format c: /autotest /q /u"

Since the AUTOEXEC.BAT is not used on Windows NT, this payload is not
applicable to that operating system. The next reboot of the computer will
run the AUTOEXEC.BAT file causing an unconditional automated format of the
hard drive. 

Also, a message box is displayed within Word97 with the following text:

                    (C) 1999 - CyberNET
                    Vine... Vide... Vice...Moslem Power Never End...
                    You Dare Rise Against Me... The Human Era is
                    Over, The CyberNET Era Has Come!!!
                    [OK]

After clicking on the OK dialogue box, a random number of randomly colored
and random size and type objects fill the document as an overlay. Another
virus which uses this overlay is the W97M/Pri virus. 

Indications Of Infection
Macro warning if opening infected document, increase in size to global
template. Messages on screen as mentioned above. Email propagation as
mentioned above.

Method Of Infection
Opening infected documents will infect global template normal.dot.


IJMC November 1999 Archives