Type: Executable Mass Mailer
Size: 6 KB
In The Wild: Yes
The registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemSARS32 = %windir%\csrss.EXE ;
The file csrss.EXE in the Windows folder.
Win32.Melare.A@mm was written in Visual Basic 6 and compressed with UPX. It spreads by sending a large number of emails to the user's contacts. It uses Outlook to spread.
The emails it sends look like this:
Subject: Alert! SARS Is being Spread!
Body: Hi!, This is a beta test SARS. Please check an attachment!
When run, the virus will drop a copy in the Windows folder, named "csrss.EXE" and create the registry entry above in order for it to be run at start-up. It will then send the emails in the format described above.
Remove the registry entry described above; restart the machine and delete the file csrss.EXE in the Windows folder (not the Windows System folder!).
Let BitDefender delete infected files.