Technische documentatie van Symantec over het Papa-virus.

The X97M.Papa.A Worm is a macro worm. The worm replicates in the form of a Microsoft Excel spreadsheet. Using the macro language in Microsoft Excel in conjunction with Microsoft Outlook, the worm sends copies of itself to email addresses configured in Outlook’s address lists. In order for this worm to self-propagate, one must have both Microsoft Excel and Microsoft Outlook installed on their computer system.

Upon opening an infected spreadsheet, the worm composes an email to the first 60 email addresses in each address list configured in Microsoft Outlook. The email contains the subject:

The body of the email contains the text:

The worm then attaches the Excel spreadsheet to the email and sends the message, propagating itself further. Such mass mailings can cause network congestion and an increase in load on email servers forcing them to be shut down.

The worm contains an additional payload with a random trigger. The payload performs a ping on two different IP addresses with a random buffer size for an indefinite amount of time potentially causing a denial of service and additional network congestion.

As always, one should practice safe computing practices and avoid opening email attachments that can contain viruses, worms, or other malicious programs. The worm will not self-propagate simply by reading your email. You must launch or run the attached Excel spreadsheet. The Excel spreadsheet attachment was originally named PASS.XLS. However, filenames are easily changeable so, the worm may spread as a different filename.

At the time of this write-up, only an Intended version of this worm was seen in the wild. The worm contains a bug that does not allow it to execute properly. However, the virus author has publicly posted the bug has been fixed. Norton Antivirus may detect both versions under the name X97M.Papa.A.Intended.

Zie ook:
www.symantec.com/avcenter/venc/data/melissa.html