Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Scan Information

	Policy Guidelines

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

ALERTS

Viruses

Melissa

Users with Windows 95/98/Me/NT/2000 and Macintosh operating systems are susceptible to Melissa viruses. Melissa.W is the latest variant of the original Melissa virus (Melissa.A). Melissa.W travels via e-mail in an attached Microsoft Word 2001 document called Anniv.doc, although the infected attachment can have a different file name. Melissa cannot create infected attachments under Word 95. Like Melissa.A, Melissa.W can be difficult to spot, luring the user with the seemingly friendly subject line, "Important Message From (name of infected user)."

The worm propagates by sending copies to as many as 50 e-mail addresses that have been saved in Microsoft Outlook address books. As Melissa raids the Outlook address book, it may forward confidential information from the infected user's computer to the 50 new recipients. You don't need to have Microsoft Outlook to receive the infected e-mail attachment, but only machines using Outlook (not Outlook Express) can spread the virus.

The e-mails may look like this:

From: (name of infected user)
Subject: Important Message From (name of infected user)
To: (50 names from Microsoft Outlook address book)

[body of message]
Here is that document you asked for … don't show anyone else ;-)

Attachment: Anniv.doc (the infected active document)

For further information on Melissa.W, see
http://www.europe.f-secure.com/v-descs/melissaw.shtml

Top

The Myparty Virus

Windows users—the Myparty virus (W32/Myparty@MM) is now circulating around the Internet. If a message with the subject: "New photos from my party" arrives in your mail queue, don't be fooled. The message contents direct those who receive it to go to www.myparty.yahoo.com. If you try to access this site, instead of going to what appears to be a Web address, your system will run an attached executable file that will infect your system. Although Norton Anti-Virus has not yet been updated to find and eradicate this virus, the LBNL virus wall already stops any incoming copies of messages infected with this virus. A Norton update is expected soon—be sure to keep your system's antivirus software up to date as soon as the update is available. Additionally, avoid opening message attachments and following directions in a message when you do not know who sent the message.

Top

The MyLife Worm

W32.MyLife@mm is a mail-based worm that, if executed, sends itself to all addresses in the Microsoft Outlook address book in every system it infects. It tries to delete files with the following types of extensions: .exe, .com, .sys, .ini, .dll, and .vxd, and modifies registry entries of the victim's system.

MyLife generally arrives in a message that has the following subject: my life ohhhhhhhhhhhh

The message typically reads: Hiiiii How are youuuuuuuu? look to the digital picture it's my love vvvery verrrry ffffunny :-) my life = my car my car = my house

The attachment is usually named My Life.scr. All you need to do to infect your system is to open the attachment. If your system becomes infected, it is best to dial HELP, because eradication is complicated.

For more information, check out Symantec's profile of the MyLife Worm.

Top

911 Virus

The 911 Virus is the first "Windows shares virus." Unlike recent viruses that propagate though e-mail, the 911 Virus silently reaches out from a contaminated computer directly across the Internet and jumps from machine to machine, scanning for and exploiting open Windows files and print sharing. Then, after successfully reproducing itself in these Internet-connected machines to which it has "jumped" (ensuring its continued survival), the virus uses the contaminated local machine's modem to dial 911 and then erases the local machine's hard drive.

The virus was launched through AOL, AT&T, MCI, and NetZero in the Houston area.

What should you do? For technical reasons, the immediate threat to Berkeley Lab from this particular virus is low. However, future mutations of the virus, with a more robust method of spreading across the Internet, could cause a lot of problems to the Lab. If you don't share files, file sharing should be turned off. If you do share files, it should be done properly (through specific folders, passwords, etc.) See

For further information on the 911 Virus, see http://vil.nai.com/vil/virusChar.asp?virus_k=98557.

Top