W32/Melo-C is a worm for the Windows platform.
When first run W32/Melo-C copies itself to:
<Root>\AUTOEXEC.BAT.exe
<Root>\CONFIG.SYS.exe
<System>\drivers\etc\jesse.exe
and creates the following files:
<Root>\Autor.txt
<System>\Antlist.bat
The files Autor.txt and Antlist.bat can be deleted.
The following registry entry is created to run jesse.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
a
<System>\drivers\etc\jesse.exe
W32/Melo-C disables use of the Task Manager by creating the following registry entry :
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
disabletaskmgr
1
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\day\number\
HKCU\Software\VB and VBA Program Settings\ok\jessy\
W32/Melo-C monitors active windows, and when it finds a window indicating a Hotmail email message is being composed in Microsoft Internet Explorer, it will append one of the following links to the composed message in order to encourage the recipient to download another copy of the worm from the Internet :
"jaja look a that video <link to worm>"
"mira este video <link to worm> jaja"
W32/Melo-C will also check for the presence of windows of Spanish-language versions of System Restore ("Restaurar sistema"), Control Panel ("Panel de control"), Task Manager ("Administrador de tareas de Windows") and Regedit ("Editor del Registro") and close them if it finds them.
W32/Melo-C deletes all normal files in the top folder of the A: and C: drives, replacing them with copies of itself whose filename is the original filename plus an additional EXE extension.
The worm displays the following fake error message box:
Caption:
System Failure
Message:
No se pueden abrir archivos debido a la falta de un componente