Name: Win32.Melare.A@mm
Aliases: N/A
Type: Executable Mass Mailer
Size: 6 KB
Discovered: 19.05.2003
Detected: 19.05.2003
Spreading: High
Damage: Low
In The Wild: Yes

Symptoms:


The registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemSARS32 = %windir%\csrss.EXE ;

The file csrss.EXE in the Windows folder.
Technical description:
Win32.Melare.A@mm was written in Visual Basic 6 and compressed with UPX. It spreads by sending a large number of emails to the user's contacts. It uses Outlook to spread.

The emails it sends look like this:

Subject: Alert! SARS Is being Spread!
Body: Hi!, This is a beta test SARS. Please check an attachment!
Attachment:a.exe




When run, the virus will drop a copy in the Windows folder, named "csrss.EXE" and create the registry entry above in order for it to be run at start-up. It will then send the emails in the format described above.

Removal instructions:


Manual Removal:
Remove the registry entry described above; restart the machine and delete the file csrss.EXE in the Windows folder (not the Windows System folder!).


Automatic Update:
Let BitDefender delete infected files.