The Melissa Virus

What is it

• The Melissa virus was first detected on March 26, 1999. It is a Microsoft Word macro virus delivered as an E-mail attachment. When the attachment, "list.doc" is opened the virus searches the Microsoft Outlook address book and delivers the following message to the first 50 names:
  Subject: Important Message From infected user's name
  Body: Here is that document you asked for... don't show anyone else ;-) The virus proliferates itself as users open the attachment.
  • Microsoft Melissa virus alert
  • Ciac Information Bulletin
  • CERT Advisory

More Details

• The message appears to come from the person just infected, of course, since it really is sent from that machine. This means that when you get an "infected" message it will probably appear to come from someone you know and deal with. The subject line is "Important Message From: [name of sender]" with the name taken from the registration settings in Word. The text of the body states "Here is that document you asked for ... don't show anyone else ;-)". Thus, the message is easily identifiable: that subject line, the very brief message, and an attached Word document (file with a .doc extension to the filename).
• If you receive a message of this form DO NOT OPEN THE DOCUMENT WITH WORD!
• If you do not have alternate means or competent virus assistance, the best recourse is to delete the message, and attachment, and to send a message to the sender alerting them to the fact that they are, very likely, infected.
• Do not start a panic by sending warnings to everyone who sends you any message with an attachment.
  • ZDNet What Does the Melissa Virus Do?
  • CERT Melissa Virus FAQ

Who is affected

• Anyone who uses Microsoft Word 97 or Word 2000 with Microsoft Outlook 97, 98 or 2000. The Melissa virus can infect your copy of Microsoft Word as well as any subsequent Word documents you create, change your Word settings to make it easier for your computer to be infected by this and future macro viruses, and use your copy of Outlook to E-mail Melissa-infected Word files to 50 of your friends.
• Anyone who uses Microsoft Word 97 or Word 2000 with any other E-mail program. While the Melissa virus will not automatically redistribute itself to your friends through your E-mail program, the Melissa virus can still infect your copy of Microsoft Word as well as any subsequent Word documents you may create, and it can also change your Word settings to make it easier for your computer to be infected by this and future macro viruses. Once your computer is infected with the Melissa virus, any subsequent Word file you create and then share with others -- via E-mail, floppy disk, FTP, and so on -- will contain the Melissa virus.
• If you don't use Word, you are safe. Completely safe. If you need to look at MS Word documents, there is a free document viewer available. This viewer will not execute macros, so it is safe from infection.
• The virus also will not invoke the mailout on Mac systems, but definitely can be stored and resent from Macs.

Technical notes

• The virus is spread, of course, by infected Word documents. What has made it the "bug du jour" is that it spreads *itself* via email. We have known about viruses being spread as attachments to email for a long time, and have been warning people not to execute attachments (or read Word documents sent as attachments) if you don't know where they came from. Happy99 is a good example: it has spread very widely in the past month by sending itself out as an email attachment whenever it infects a system.
• Since it is a macro virus, it will infect your NORMAL.DOT, and will infect all documents thereafter. The macro within NORMAL.DOT is "Document_Close()" so that any document that is worked on will be infected when it is closed. When a document is infected the macro inserted is "Document_Open()" so that the macro runs when the document is opened.

Future developments?

• As with any Word macro virus, the source code travels with the infection, and it will be very easy to create modifications to Melissa. We will, no doubt very soon, start seeing many Melissa variants with different subjects and messages. There is already one similar Excel macro virus, called "Papa."
• Any Word document can be infected, and that an infected user may unintentionally send you an infected document. All Word documents, and indeed all Office files, should be checked for infection before you load them.

What to do to protect yourself

• A number of fixes for mail servers and mail filtering systems have been devised very quickly. However, note that not all of these have fully tested or debugged.
  • Sendmail block melissa
  • ZDNet's ByeMelissa
• Launch Word and turn on Macro Virus Protection.
  • Protect Your Microsoft Office Data from Viruses
  • McAfee free macro anti-virus techniques
• Update your virus definitions: every major antivirus software manufacturer has released a virus update that recognizes and removes the Melissa virus.
  • F-PROT
  • Norton Anti-Virus
  • TrendMicro
  • AntiViral Toolkit
  • VirusScan
  • Sophos Anti-Virus
• Never double-click or launch any file, especially an E-mail attachment, regardless of who the file is from, unitl you first scan that file with your antivirus preogram.
  • ZDNet: Opening E-mail Attachments