Results 1 to 2 of 2

Thread: New worm (Win32.Melare.A@mm)

  1. #1

    New worm (Win32.Melare.A@mm)

    Name: Win32.Melare.A@mm
    Aliases: N/A
    Type: Executable Mass Mailer
    Size: 6 KB
    Discovered: 19.05.2003
    Detected: 19.05.2003
    Spreading: High
    Damage: Low
    In The Wild: Yes


    The registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemSARS32 = %windir%\csrss.EXE ;

    The file csrss.EXE in the Windows folder.
    Technical description:
    Win32.Melare.A@mm was written in Visual Basic 6 and compressed with UPX. It spreads by sending a large number of emails to the user's contacts. It uses Outlook to spread.

    The emails it sends look like this:

    Subject: Alert! SARS Is being Spread!
    Body: Hi!, This is a beta test SARS. Please check an attachment!

    When run, the virus will drop a copy in the Windows folder, named "csrss.EXE" and create the registry entry above in order for it to be run at start-up. It will then send the emails in the format described above.

    Removal instructions:

    Manual Removal:
    Remove the registry entry described above; restart the machine and delete the file csrss.EXE in the Windows folder (not the Windows System folder!).

    Automatic Update:
    Let BitDefender delete infected files.
    That was all folks!

  2. #2
    Join Date
    Mar 2003
    thanks Support, glad to c someone gets out of bed early to sus these things out

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts