New worm (Win32.Melare.A@mm)
Results 1 to 2 of 2

Thread: New worm (Win32.Melare.A@mm)

  1. #1

    New worm (Win32.Melare.A@mm)

    Name: Win32.Melare.A@mm
    Aliases: N/A
    Type: Executable Mass Mailer
    Size: 6 KB
    Discovered: 19.05.2003
    Detected: 19.05.2003
    Spreading: High
    Damage: Low
    In The Wild: Yes

    Symptoms:


    The registry entry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SystemSARS32 = %windir%\csrss.EXE ;

    The file csrss.EXE in the Windows folder.
    Technical description:
    Win32.Melare.A@mm was written in Visual Basic 6 and compressed with UPX. It spreads by sending a large number of emails to the user's contacts. It uses Outlook to spread.

    The emails it sends look like this:

    Subject: Alert! SARS Is being Spread!
    Body: Hi!, This is a beta test SARS. Please check an attachment!
    Attachment:a.exe




    When run, the virus will drop a copy in the Windows folder, named "csrss.EXE" and create the registry entry above in order for it to be run at start-up. It will then send the emails in the format described above.

    Removal instructions:


    Manual Removal:
    Remove the registry entry described above; restart the machine and delete the file csrss.EXE in the Windows folder (not the Windows System folder!).


    Automatic Update:
    Let BitDefender delete infected files.
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  2. #2
    Banned
    Join Date
    Mar 2003
    Posts
    89
    thanks Support, glad to c someone gets out of bed early to sus these things out

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •