-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                      AL-2000.07  --  AUSCERT ALERT
                            Resume Macro Worm
                               28 May 2000

===========================================================================

PROBLEM:  

	AusCERT has received information of a new variant of the Melissa
	Macro Worm known as W97M.Melissa.BG, ResumeWorm, or W97M.Resume.A.
	This variant attempts to delete crucial system files and all files
	on attached drives the infected user currently has access to.
	The worm propagates itself via e-mail by mailing itself to everyone
	in the Microsoft Outlook Address Book.  In it's current form the
	worm transmits itself in e-mail with a subject of "Resume - Janet
	Simons".  As is typical with this type of incident, there are
	generally numerous mutations of this worm for several weeks
	afterwards.  AusCERT recommends a heightened state of awareness
	and caution with any e-mail attachments that are received in the
	next few weeks.

	AusCERT has received no direct reports of infection among member
	sites within Australia or New Zealand, however we are aware of
	reports of the worm from collaborating security organisations in
	other countries.  We are issuing this warning to draw members'
	attention to the potential for release within Australia and New
	Zealand.

IMPACT:   

	The worm may delete crucial system and data files making systems
	unstable or unusable.  In addition, mail servers may suffer
	increased load as the worm propagates making those servers unstable
	or unusable.  An infected organisation's profile may also be
	damaged due to the organisation being seen as one of the
	propagators of the worm.

RECOMMENDATIONS: 

	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defenses and either delete or do not open any email messages or
	attachments that resemble the e-mail listed above.

        B. Update Anti-Virus Packages

	System Administrators and Users are urged to ensure that the latest
	Anti-Virus software is installed and it is using the most current
	up-to-date virus databases.

	More information can be found at:

    	  http://www.sarc.com/avcenter/venc/data/w97m.melissa.bg.html
	  http://vil.nai.com/villib/dispvirus.asp?virus_k=98661
          http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=W97M_RESUME.A
	  http://www.nipc.gov/alert00-045.htm

	In addition, the following Microsoft update may be beneficial to
	Outlook users and administrators - "Protect Against Viruses with
	the Outlook E-mail Security Update":

	  http://officeupdate.microsoft.com/2000/articles/out2ksecarticle.htm

	AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------
For more information contact please contact your anti-virus vendor.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOXXWJyh9+71yA2DNAQGwlwQAlBKbv5Z/yQ7XD9i0wBjJC0pcUj1092/A
HwQYgBzGaHdzLT17KJocpdHq27CvQGv3KkjUr5m7ZPOErQAP3bRzyVWG3uMsayer
nFYx+QeypcO8hTH+f26bCasGSUEQ8Itxw/KSdV/32BTEfE9BLcfUrOxD3ZCuwugS
NjJ2taVeLps=
=b9Xl
-----END PGP SIGNATURE-----