This has come from a pretty reliable source, his job is computers. If he passes it on, I feel comfortable passing it on to others. Gerald Melissa: I'm baaaack From: Newsbytes News Network <http://www.newsbytes.com/> By Sherman Fridman AVERT (Anti-Virus Emergency Response Team), a division of Network Associates, Inc.'s NAI Labs advised customers Thursday that it had placed two new variants of the Melissa virus on its "watch list" with an initial risk assessment of "medium." In an interview with Newsbytes, Jimmy Kuo, director of Anti-Virus Research at NAI Labs, said that the he believes that the virus broke out last Friday or Saturday as that's when the first reports began to arrive. To date there have been 10 distinct reports of the virus and while he has not read them all, Kuo said that so far the virus has appeared in the Netherlands, France, Canada and Australia. Kuo was not aware of any reports of the virus in the United States. Although these new variants of the Melissa virus can be caught by anti-virus software employing heuristic scanning methods, they do spread rapidly via e-mail, causing the deletion of data; that's the reason for the medium risk assessment rating. These Melissa variants activate when an infected document, which usually arrives via e-mail, is opened. According to information released by Network Associates, the subject line will be "pictures" in the case of the variant known as Melissa.U, and "My Pictures" in the case of Melissa.V. In both cases, the sender's registered Word97 or Word2000 username, if available, will follow in the subject line. The body of the e-mail will be "what's up?" in the case of Melissa.U, and will be blank in the case of Melissa.V. Also, in both cases, the virus arrives in the form of an infected Word Attachment, which is a duplicate of the infected Word document opened by the sender to trigger the virus' spread. When the Word document is opened on an uninfected PC, the virus will infect Word's global template, NORMAL.DOT, infecting all future Word documents. On occasion, in the case of Melissa.U, infected documents will have the message "Please Check Outlook Inbox Mail" inserted into them. In the case of Melissa.V, a pop-up message box containing the text "Please Check Your Outlook Inbox Email!" will appear. After the victim presses "OK," text is then inserted into the open document. The viruses behave differently after the NORMAL.DOC template has been infected. Melissa.U will invoke a MAPI e-mail client and send itself to the first four e-mail addresses in the Address Book, which can include distribution lists. It will then attempt to delete these system files in order to make the user's system inoperable: c:/command.com, c:/io.sys, c:/Ntdetect.com, c:/Suhdlog.dat, and d:/Suhdlog.dat. Melissa.V similarly invokes a MAPI client -- such as Outlook or Outlook Express -- and sends itself to the first 40 addresses in the Address Book. It then attempts to delete files and directories in the root of mapped drives with the following letters sequentially in this order: M,N,O,P,Q,S,F,I,X,Z,H,L. As with ExploreZip.Worm, one infection within a large organization can cause loss of many of the organization's files through the virus' actions on mapped drives. Networks Associates, <http://www.nai.com>, claims that its McAfee Total Virus Defense product can detect and clean the Melissa.U and Melissa.V variants. Kuo said that AVERT, the anti-virus research division of NAI Labs, currently employs more than 85 virus researchers and maintains labs on five continents. In addition to studying new and existing security threats, AVERT serves as a global resource for virus information and provides "follow-the-sun" support for virus emergencies worldwide. Copyright © 1999, Newsbytes News Network LLC. All rights reserved.