McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Melare@MM

This page shows details and results of our analysis on the malware W32/Melare@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: N/A

Discovery Date: 2003-05-17

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4266 (2003-05-21)

Updated DAT

4266 (2003-05-21)

 Minimum Engine

5.1.00

File Length

6,144 Bytes

Description Added

2003-05-17

Description Modified

2003-05-22

Malware Proliferation

Characteristics

This detection is for a simple mass-mailing worm written in Visual Basic.

Proactive detection: The worm has been proactively detected as "virus or variant New Worm" with the 4174 DATs or greater (with scanning of compressed files enabled). Products running the 4.2.40 engine with the 4253 DATs or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).

Mail Propagation

The worm sends itself to recipients listed in the Outlook address book, using Outlook to construct outgoing messages. It mails recipients repeatedly. Such messages have the following characteristics:

Subject: Alert! SARS Is being Spread!

Body: Hi!, This is a beta test SARS. Please check an attachment!

Attachment: filename of EXE run, e.g. CSRSS.EXE, A.EXE (6,144 bytes) (may be apparent as SARS_IMAGE.JPG)

The attachment is labelled as "SARS_IMAGE.JPG" within the Outlook message (viewed as messages are sent). When the message is viewed via Outlook, this may be the apparent filename. However, if the file is saved to disk, the filename will default to A.EXE.

An example message recevied via a non-Exchange based environment is shown below:

(where A.EXE is the filename of the worm initially run on the machine.)

Installation

The worm installs itself onto the victim machine as:

%WinDir%\CSRSS.EXE

(where %WinDir% represents the Windows directory)

The following Registry key is set to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SystemSARS32" = C:\WINDOWS\CSRSS.EXE

Symptoms

An infected system will have the Registry hook detailed above, coupled with the copy of the worm in the Windows directory.

Method of Infection

The worm spreads via mailing itself to recipients listed in the Outlook address book, using Outlook to construct outgoing messages.

The worm also delivers a destructive payload, deleting files on certain dates when it is executed. Files matching the following masks are targetted (in the same directory as the worm):

  • *.DLL
  • *.NLS
  • *.OCX

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

United States - English