Virus.MSWord.Melissa

Detect Date 01/11/2002
Class Virus
Platform MSWord
Description

Technical Details



This macro-virus replicates under Word 8 and Word 9 (Office97 and
Office2000), infects Word document and templates, and sends its copies via
e-mail messages using MS Outlook. The virus is an extremely fast infector: its
e-mail spreading routine may send many infected documents to different e-mail
addresses when the virus installs itself into the system. The virus also
has a trigger routine, changes the system registry, and disables the Word macro-virus
protection.


To send its copies via e-mail messages, the virus uses VisualBasic abilities
to activate other Microsoft applications and use their routines: the virus
gains access to MS Outlook and summons its functions. The virus obtains the
addresses from the Outlook database and sends them a new message. This
massage has:

The subject:
“Important Message From [UserName]” (UserName is variable)

Message body:
“Here is that document you asked for … don’t show anyone else ;-)”

The message also has an attached document (needless to say that it is
infected) – the virus attaches to the document that is being edited now
(active document). As a side effect of this way of spreading, the user’s
documents (including confidential ones) can be sent out on the Internet.


The virus can send very many messages: it scans Outlook AddressBook
(address database), opens each list in it, and sends up to 50 messages to
addresses from each one. If a list has less than 50 entries (e-mail
addresses), all of them are affected. The virus sends one message per each
list, the TO: field in the message contains all the addresses from this list
(up to 50), and can be disregarded by anti-spam filters.


The virus sends infected e-mail only one at a time. Before sending, the virus
checks system registry for its ID stamp:

HKEY_CURRENT_USERSoftwareMicrosoftOffice “Melissa?” = “… by Kwyjibo”


If this entry does not exist, the virus sends e-mail from an infected
computer, and then creates this entry in the registry. Otherwise, the virus skips the e-mail routine. As a result, the virus sends infected e-mail
messages only once: during subsequent attempts, it locates the “Melissa?=” entry, and
skips it.


The virus is able to spread to Office2000 (Word ver.9) documents. This
possibility is based on an Office “converting” feature. When new a Office
version opens and loads documents and templates created by previous Word
versions, it converts data in documents to new formats. The macro-program
in files are also converted, including virus macros. As a result, the virus
is able to replicate itself under Office2000.


In the case that the virus is run in Office2000, it performs an additional action: it
disables (sets to a minimal level) Office2000 security settings (anti-virus
protection).


The virus code contains one module named “Melissa” with one auto-function
in it: “Document_Open” in infected documents, or “Document_Closed” in
NORMAL.DOT (global macros area). The virus infects the global macros area
on an infected document opening, and spreads to other documents upon their
closing. To infect documents and templates, the virus copies its code
line-by-line from an infected object to a “victim” one. In the case that the NORMAL.DOT is
being infected, the virus names its program in the module as “Document_Close”,
when the virus copies its code from NORMAL.DOT to a document, the virus
names it “Document_Open”. As a result, the virus installs itself into the
Word application at the same time the infected document is open, and infects
other documents only when they are closed.


The virus also has a trigger routine that is activated if the current date
is equal to the current time in minutes. Each time the virus’ macros gain control, this
routine inserts the text into the current document:

Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game’s over. I’m outta here.


This text, as well as the pseudonym of the virus author, “Kwyjibo”, are
references to the popular “Simpsons” cartoon TV series.


The virus has the comments:

WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 <--> Word 2000 … it’s a new age!

Melissa.b


This virus version transforms into a worm, not a virus: in its code, the
global macros area and other documents infection routine is “commented” out
(this code is present in the worm code, but all commands are disabled by
“this is comment text” VisualBasic character). It is also mentioned in
the author’s comments in the worm’s code: “We don’t want to actually infect the PC,
just warn them”


An infected document is attached to a message with:

Subject: “Trust No One”
Body: “Be careful what you open. It could be a virus.”


When an attached document is opened, the worm-spreading routine takes control.
It checks in the system registry for the “Melissa.a” mark, and if this is not present, the worm obtains one (first) address from each Outlook address list and sends
new messages with itsown copy to these addresses. The worm then inserts the following text into the current document:

This could have had disasterous results. Be more careful next time you open
an e-mail. Protect yourself! Find out how at these web sites:
http://www.eos.ncsu.edu/eos/info/computer_ethics/www/abuse/wvt/worm/
http://www.nipc.gov/nipc/w97melissa.htm
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
http://www.microsoft.com/security/bulletins/ms99-002.asp
http://www.infoworld.com/cgi-bin/displayStory.pl?990326.wcvirus.htm