, Worm/Melare, Win32/[email protected]
, WORM_MELARE.A, Win32/Melare.A
Email-Worm.Win32.Melare, I-Worm.Melare, W32/[email protected]
, Win32.HLLM.Generic.88, W32/Melare-A
Category: Computer Worm
Active & Spreading
19 May 2003
The mass mailing Worm [email protected]
harvests the contents of the Windows Address Book to send spam messages. The emails normally contain the subject "Alert! SARS is being spread". The message body prompts the user to launch the a.exe attachment file which will launch the malware into the attacked system.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
malware like most Worm variants requires the recipient of the spiked email message to click on the attachment file to activate its payload. To further its deception, the executable file is hidden behind a JPG format image file in an attempt to fool the recipient that the attachment is a harmless picture. When the picture is opened, the executable file is launched and the infection is initiated in the target computer system. The csrss.exe file is extracted into the Windows directory and a relevant key is generated in the Windows Registry. The key allows the [email protected]
Worm to launch automatically at every reboot or startup instance of the machine.
An additional payload that has been identified with this particular malware is the possibility of deleting files using the OCX, NLS, and DLL file extensions. These files normally reside under the Windows directory where the main executable of the malware is also stored. The process of deleting the files was observed to occur monthly during the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th. To manually remove the [email protected]
malware, the system has to run in Safe Mode. The Registry Editor must be used to remove the keys it added to prevent automatic loading on startup. The other files associated with this malware must also be deleted under this mode. Check the MSCOFIG startup tab to make sure there are no other startup entries. Once all remnants of the malware are removed, the system can be restarted normally.