Win32.Melare.A@mm

( N/A )
Ausbreitung : high
Schaden : low
Size: 6 KB
Entdeckt : 2005 May 30

SYMPTOMS:

  • The registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemSARS32 = %windir%\csrss.EXE ;
  • The file csrss.EXE in the Windows folder.
    •

    TECHNICAL DESCRIPTION:

    Win32.Melare.A@mm was written in Visual Basic 6 and compressed with UPX. It spreads by sending a large number of emails to the user's contacts. It uses Outlook to spread.

    The emails it sends look like this:

    Subject: Alert! SARS Is being Spread!
    Body: Hi!, This is a beta test SARS. Please check an attachment!
    Attachment: a.exe



    When run, the virus will drop a copy in the Windows folder, named csrss.EXE and create the registry entry above in order for it to be run at start-up. It will then send the emails in the format described above.

    Removal instructions:

  • Using BitDefender:
    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following key:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemSARS32 = %windir%\csrss.EXE

    4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Melare.A@mm.


  • Using free removal tool:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiMelare tool does the following:
  • it deletes the files infected with Win32.Melare.A@mm;

  • it kills the process from memory;

  • it repairs the Windows registry.
    •

    ANALYZED BY:

    Bogdan Dragu BitDefender Virus Researcher