One surprise that will definitely be naughty, not nice, this Christmas is the new Melissa virus hybrid just announced by AVERT (Anti-virus Emergency Response Team), a division of NAI Labs at Network Associates Inc. The virus is self-propagate, has been given a risk assessment of "Medium-On-Watch". This new virus named W97M/Prilissa, is a word 97 macro virus , which combines characteristics of the PRI virus (a word 97 virus with many variations) with the spreading power of the original Melissa virus to deliver a malicious payload that completely reformats a user's hard drive on Dec 25. This means all the data that was on the hard drive is erased.

Vincent Gullotto, director of AVERT, said as of Monday, the Prilissa virus has been reported in Europe, Australia and the United States. He added that the new hybrid is highly destructive, but that at moment, it was not too prevalent, thereby accounting for its "Medium-On-Watch" rating. According to AVERT, the virus arrives via e-mail that has a subject line which reads, 'Message From'. The body text reads, 'This document is very important and you,ve GOT to read this!!!!!' A word document is attached.

Once the document is opened, the infection takes place. Users will know that their PC has been infected from thr presence of random characters and objects (example, multi-coloured lines, shapes and letters) in open word documents. Word 97 users will also see a dialog box reading, "(C) 199 - cyberNET Vine... Vide... Vice... Moslem Power Never End... You dare Rise Against Me... The Human era is Over..., The CyberNET Era has Come111[OK]"

The Prilissa virus is activated by opening an infected word document. Upon arrival in a Windows 95 or Windows 98 environment, the virus will utilise the "ThisDocument" stream, or class module of a document or template during its infection routine. The virus will then select the active Word document, possibly exposing confidential information, and send an e-mail with the infected document via Microsoft outlook to the first 50 people in every address book the user maintains. The last step in the routine requires the virus to modify the user's registry. With this modification, Prilissa runs a destructive payload on Dec 25, of any year, and overwrites the existing c:\AUTOEXEC.BAT. The next time the user reboots, the new AUTOEXE.BAT will reformat the C drive, erasing all data.

Networks Associates said current versions of its McAfee VirusScan software will detect the new Prilissa virus. Symantec Corp also announced users of its Norton AntiVirus are automatically protected against the new virus.

More information is available from; http://www.nai.com, http://www.McAfee.com and http://www.symantec.com/avcenter/download.html.