|
The Melissa Virus
What is it
- The Melissa virus was first detected on March 26, 1999.
It is a Microsoft Word macro virus delivered as an E-mail attachment. When the
attachment, "list.doc" is opened the virus searches the Microsoft Outlook address
book and delivers the following message to the first 50 names:
Subject: Important Message From infected user's name
Body: Here is that document you asked for... don't show anyone else ;-)
The virus proliferates itself as users open the attachment.
More Details
- The message appears to come from the person just infected, of course,
since it really is sent from that machine. This means that when you
get an "infected" message it will probably appear to come from someone
you know and deal with. The subject line is "Important Message From:
[name of sender]" with the name taken from the registration settings
in Word. The text of the body states "Here is that document you asked
for ... don't show anyone else ;-)". Thus, the message is easily
identifiable: that subject line, the very brief message, and an
attached Word document (file with a .doc extension to the filename).
- If you receive a message of this form DO NOT OPEN THE DOCUMENT WITH
WORD!
- If you do not have alternate means or competent virus
assistance, the best recourse is to delete the message, and
attachment, and to send a message to the sender alerting them to the
fact that they are, very likely, infected.
- Do not start a panic by sending
warnings to everyone who sends you any message with an attachment.
Who is affected
- Anyone who uses Microsoft Word 97 or Word 2000 with Microsoft Outlook 97, 98
or 2000. The Melissa virus can infect your copy of Microsoft Word as well as any
subsequent Word documents you create, change your Word settings to make it
easier for your computer to be infected by this and future macro viruses, and use
your copy of Outlook to E-mail Melissa-infected Word files to 50 of your friends.
- Anyone who uses Microsoft Word 97 or Word 2000 with any other E-mail program.
While the Melissa virus will not automatically redistribute itself to your friends
through your E-mail program, the Melissa virus can still infect your copy of
Microsoft Word as well as any subsequent Word documents you may create, and it can
also change your Word settings to make it easier for your computer to be infected by
this and future macro viruses. Once your computer is infected with the Melissa
virus, any subsequent Word file you create and then share with others -- via E-mail,
floppy disk, FTP, and so on -- will contain the Melissa virus.
- If you don't use Word, you are safe. Completely safe. If you need to look at MS
Word documents, there is a free document viewer available. This viewer will not execute
macros, so it is safe from infection.
- The virus also will not invoke the mailout on Mac systems, but definitely can be
stored and resent from Macs.
Technical notes
- The virus is spread, of course, by infected Word documents. What has
made it the "bug du jour" is that it spreads *itself* via email. We
have known about viruses being spread as attachments to email for a
long time, and have been warning people not to execute attachments (or
read Word documents sent as attachments) if you don't know where they
came from. Happy99 is a good example: it has spread very widely in
the past month by sending itself out as an email attachment whenever
it infects a system.
- Since it is a macro virus, it will infect your NORMAL.DOT, and will
infect all documents thereafter. The macro within NORMAL.DOT is
"Document_Close()" so that any document that is worked on will be
infected when it is closed. When a document is infected the macro
inserted is "Document_Open()" so that the macro runs when the document
is opened.
Future developments?
- As with any Word macro virus, the source code travels with the infection,
and it will be very easy to create modifications to Melissa. We will, no doubt
very soon, start seeing many Melissa variants with different subjects and messages.
There is already one similar Excel macro virus, called "Papa."
- Any Word document can be infected, and that an infected user
may unintentionally send you an infected document. All Word
documents, and indeed all Office files, should be checked for
infection before you load them.
What to do to protect yourself
- A number of fixes for mail servers and mail filtering systems have
been devised very quickly. However, note that not all of these have
fully tested or debugged.
- Launch Word and turn on Macro Virus Protection.
- Update your virus definitions: every major antivirus software
manufacturer has released a virus update that recognizes and
removes the Melissa virus.
- Never double-click or launch any file, especially an E-mail
attachment, regardless of who the file is from, unitl you first
scan that file with your antivirus preogram.
|