If Microsoft Mail is running, the virus attempts to send e-mail
messages to three random people listed in the local MSMail alias list.
The subject of the messages will be
You have GOT to see this!
The message will contain no text, only a file attachment called
DOC1.DOC, which is infected by the virus. The document itself is the
document that user happened to have open when the virus activated.
If the receiver double-clicks on the attachment, he will get infected
by the virus and will spread the infection further with his own MSMail.
Thus, ShareFun can be considered to be mix between a macro virus and
an automatic chain letter.
Do notice that this is not an "e-mail virus". You do not get infected
by just reading e-mail - you need to actively use an attachment file
and you should always approach attachment files with caution.
ShareFun also has code to protect itself. If a user tries to analyze a
sample of the virus via Tools/Macro or File/Templates menus, the virus
will execute and infect the NORMAL.DOT template.
ShareFun was found in the wild from USA in February 1997.
[Analysis: Mikko Hypponen, F-Secure]