W97M.Melissa Virus

By Bill Grogg

The W97M.Melissa macro virus exploded onto the scene just this last Friday (3/26/1999). Never before have I seen so much analog and digital ink spilled on one virus not to mention the constant updates on radio and TV news. What makes Melissa different from other macro viruses and so newsworthy?

The W97M.Melissa macro virus infects Microsoft Word 97 and Microsoft Word 2000 documents. It originated in a Word document uploaded to an Internet newsgroup on Friday, March 26, 1999. When someone downloaded and opened the document, the virus became active and e-mailed a copy of the infected document to the first 50 e-mail addresses found in the user's MAPI address books. That is what made the virus spread so fast. It didn't wait for a user to send someone an infected document. The virus sent it to 50 recipients itself. By early Friday afternoon reports began coming into various anti-virus groups and software companies. Many high-profile businesses and government agencies have been infected as have many of the customers and partner companies I work with.

Melissa doesn't carry a destructive payload, but it is still very costly in a number of ways. First of all, because of its use of e-mail to spread very rapidly, it clogs e-mail servers and eats up valuable Internet bandwidth. Many companies and government organizations that were infected had to shut down their e-mail servers until they had updated their anti-virus software and cleaned the virus on all of their systems. Some organizations have estimated that it will be nearly a week before they are ready to bring their e-mail servers back to life. The cost in the cleanup alone will run into millions of dollars.

Then there is the cost in lost productivity. E-mail has indeed become a mission-critical application for most companies. The exchange of documents is likewise vital to many business processes. How many project schedules, product launches, customer relationships, and other business processes that are the lifeblood of business will be negatively impacted by the unavailability of e-mail and document sharing services while the virus is cleaned up?

Another possible problem caused by W97M.Melissa is that other infected documents, when opened, will be sent to 50 e-mail addresses. What if these documents are confidential? It is almost certain that some of the first 50 addresses shouldn't see the document you're opening.

How does the virus work? When an infected document is opened (or closed), the virus checks the registry for security, the environment, and whether infection has already taken place. It turns off Word options for macro virus protection, conversion confirmation, and prompting for changes to the normal.dot template. Next, the virus opens MAPI address books (in Outlook or Outlook Express), creates a message, adds as recipients the first 50 addresses it finds in your address books, sets the subject to "Important Message From ", sets the text to "Here is that document you asked for ... don't show anyone else ;-)" and attaches the current document (the original infected document was list.doc and contained a list of pornorgraphic web sites). It then sends the message. Subsequently, it infects the normal.dot (Normal) Word template so that all new documents will be infected.

If the minute of the hour matches the day of the month, the virus inserts the text "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the current document.

The code appears to only sent the e-mail if the registry key it creates doesn't contain the value "...by Kwyjibo", so it may only send the e-mail when the infection first occurs, but it does continue to infect other documents due to the infected Normal template file (normal.dot).

In order to protect yourself from this virus, make sure your keep your anti-virus software updated with the latest signatures. Those with dates past March 26, 1999 should be able to detect and remove the virus, but contact your anti-virus vendor to verify that they have this one covered (See Updating Your Anti-Virus Software for links to the vendors' signature update areas). Also make sure you scan all document files you receive to verify that they are clean and know the source of the files you receive.

Even though the latest signatures will catch this virus, experts predict that in just the first week of Melissa's availability 25-30 new variants will be released, so good data protection practices should always be employed. See other documents on this site for what precautions you should take.