Macro.Word97.Melissa
This macro virus replicates under Word 8 and Word 9 (Office97 and Office2000), infects Word document and templates, and
sends its copies in Email messages using MS Outlook. The virus is extremely fast infector: its email spreading routine may send
many infected documents to different email addresses, when the virus installs itself into the system. The virus also has trigger
routine, changes the system registry, disables Word macro-virus protection.
To send its copies in email messages the virus uses VisualBasic abilities to activate other Microsoft applications and use their
routines: the virus gets access to MS Outlook and calls its functions. The virus gets the addresses from Outlook database and
sends to them a new message.
This message has:
The subject: "Important Message From [UserName]" (UserName is variable)
Message body: "Here is that document you asked for ... don't show anyone else ;-)"
The message also has attached document (needless to say that it is infected) - the virus attaches the document that is being
edited now (active document). As a side effect of this way of spreading the user's documents (including confidential ones) can
be sent out to the Internet.
The virus can send very many messages: it scans Outlook AddressBook (address database), opens each list in it and sends up
to 50 messages to addresses from each one. If a list has less than 50 entries (email addresses), all of them are affected. The
virus sends one message per each list, the TO: field in the message contains all addresses from this list (up to 50), and can be
rejected by anti-spam filters.
The virus sends infected emails only one time. Before sending the virus checks system registry for its ID stamp:
HKEY_CURRENT_USER\Software\Microsoft\Office\ "Melissa?" = "... by Kwyjibo"
If this entry does not exist, the virus sends e-mails from infected computer, and then creates this entry in the registry. Otherwise
the virus jumps over the email routine. As a result the virus sends infected email messages only once: on next attempts it locates
the "Melissa?=" entry, and skips it.
The virus is able to spread to Office2000 (Word ver.9) documents. This possibility is based on Office "convertation" feature.
When new Office version opens and loads documents and templates created by previous Word versions, it converts data in
documents to new formats. The macro program in files are also converted, including virus macros. As a result the virus is able
to replicate itself under Office2000.
In case the virus is run in Office2000 it performs additional action: it disables (sets to minimal level) Office2000 security settings
(anti-virus protection).
The virus code contains one module named "Melissa" with one auto-function in it: "Document_Open" in infected documents, or
"Document_Close" in NORMAL.DOT (global macros area). The virus infects the global macros area on an infected document
opening, and spreads to other documents on their closing. To infect documents and templates the virus copies its code
line-by-line from infected object to victim one. In case the NORMAL.DOT is being infected, the virus names its program in
module as "Document_Close", when the virus copies its code from NORMAL.DOT to a document, the virus names it
"Document_Open". As a result the virus installs itself into the Word application at the same time infected document is opened,
and affects other documents only when they are closed.
The virus also have trigger routine that is activated if current day number is equal to current minutes, each time virus macros get
control. This routine inserts the text into the current document:
Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
This text, as well as the alias name of the virus
author, "Kwyjibo", are references to the popular "Simpsons"
cartoon TV series.
The virus have the comments:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
Melissa.b
This virus version becomes to be a worm, not a virus: in its code the global macros area and other documents infection routine
is commented out (this code presents in the worm code, but all commands are disabled by "this is comment text" VisualBasic
character). It is also mentioned in author's comments in worm's code: "We don't want to actually infect the PC, just warn them"
Infected document is attached to a message with: Subject: "Trust No One" Body: "Be careful what you open. It could be a
virus." When attached document is opened, the worm spreading routine takes control. It checks in system registry for
"Melissa.a" mark, and if it does not present, gets one (first) address from each Outlook address list and sends new messages
with own copy to these addresses. The worm then inserts into current document the text:
This could have had disasterous results. Be more careful next time you open an e-mail. Protect yourself! Find out how at these
web sites:
http://www.eos.ncsu.edu/eos/info/computer_ethics/www/abuse/wvt/worm/
http://www.nipc.gov/nipc/w97melissa.htm
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
http://www.microsoft.com/security/bulletins/ms99-002.asp
http://www.infoworld.com/cgi-bin/displayStory.pl?990326.wcvirus.htm
(
geocities.com/timessquare/alley) (
geocities.com/timessquare)