"Melissa" Word Macro Virus(Discovered 3/26/99)

Question

"Melissa" Word Macro Virus(Discovered 3/26/99)

Answer

This question was answered on June 16, 1999. Much of the information contained herein may have changed since posting.

If you use Word 97 or Word 2000 and you send or receive email using Microsoft Outlook (not Outlook Express), you're going to want to learn as much as you can about this virus The virus was discovered on March 26th, 1999 The FBI issued a warning on Sunday March 28th, 1999 due to the widespread reports of this virus through government, commercial, and military email systems

Curious to know the basics of this virus? We've got all the info for you here Read on and educate yourself to keep yourself virus-free!

Who can get this virus?

Do I have the virus?

Yes, I have it! How did I get it?

What does it do?

How do I get rid of it?

How do I prevent this virus from getting me?

But I already have a virus scanning program, why didn't it catch this virus?

Who can get this virus?

Anyone who uses Microsoft Outlook (NOT Outlook Express) for email and/or Microsoft Word (97 or 2000) for word processing is vulnerable to the virus The virus can still be sent to you even if you don't use either of these programs You simply become a "carrier" and can pass it on to others via e-mail or floppy disks.

Do I have the virus?

**WARNING** We DO NOT recommend that you get into your registry unless you have expert knowledge of how to navigate through it This is the "heart and soul" of your operating system If anything goes wrong while you are in this section, the operating system is at danger of being heavily damaged **WARNING**

However -- The best way to tell if you have the virus is to check through this registry If you have the following key in your registry, you are infected by the Melissa macro virus:

HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = ".. by Kwyjibo"

To check your registry for this key, click on Start, then Run and type regedit then click on "OK"

When the registry box comes up, click on the plus sign next to "HKEY_CURRENT_USER" then "Software" then "Microsoft" then "Office" If the word "Melissa" does not appear as a registry key, you are not infected by this virus If it is there, do not remove as this alone will not protect you.

I have the virus! How did I get it?

You came into contact with an infected document file either through email or from a floppy disk Most likely, you got an email that had the following subject line, body, and attachment.

Subject: Important message from [person's name]

Body: Here is that document that you asked for don't show anyone else ;-)

There was also a file attached You clicked on it and opened it, there was a list of pornographic websites From there, the Melissa virus infected your Microsoft Word program and any subsequent files that were opened after the infection.

What does the virus do?

The new "Melissa" virus infects Microsoft Word documents using Visual Basic for Applications -- the built-in scripting language in the Microsoft Office suite The virus has three main actions:

It infects Word and spreads to all Word documents you open.

It changes some settings to ease infection.

It e-mails itself using Microsoft Outlook, masquerading as a message from you.

When you open an infected Word document, Melissa spreads to your NORMAL.DOT document template This is where Word stores your custom settings and default macros By copying itself into NORMAL.DOT, Melissa ensures that your Word installation is infected and any documents or templates you create will get the virus added It also ensures that the virus code runs every time you open or close a document

Another quirk of the virus: If the day equals the minute value, and the infected document is opened this text is inserted at the current cursor position:

" Twenty-two points, plus triple-word-score, plus fifty points for using all my letters Game's over I'm outta here."

Now how do I get rid of it?

Remove or clean any infected files from your hard drive and/or floppy disks Do this using the latest anti-virus program with the most recently updated virus information files Make sure you're cleaning or deleting infected document files from your ENTIRE hard disk, including your email folders!

Now, reverse the Word settings that the Melissa virus changed In Word 97 check the following settings:

Tools | Options | General | Confirm Conversion at Open

-- should be checked on

Tools | Options | General | Macro virus protection

-- should be checked on

Tools | Options | Save | Prompt to save Normal template

-- should be checked on

In Word 2000 check the following menu settings:

Change your macro security level to medium (meaning you can choose to run macros or not) or high

Lastly, notify anyone who may have received an infected document from you Look in the Sent Items folder of your e-mail program and see if any documents have been sent out If you mailed any Word attachments after Thursday 25th March --either sent by you manually or as part of the message that Melissa makes and sends -- write a polite message to all the receivers informing them of possible infection and suggesting that they check their systems

It's a bit embarrassing to admit that you may have infected others with a computer virus, but it's far better to give other people a warning than leave them in the dark and at risk of spreading a macro virus even further To stop rumors and unnecessary panic do not broadcast warnings to lots of unaffected people Just tell the people who sent the virus to you and those who may have received it from you

If you're on a network, don't forget to warn anyone with whom you share documents and notify your network administrator, IT manager or Help Desk staff Only appropriately authorized staff should send any kind of "security warning" or "alert" message within an organization End-users should only be sending such alerts to the appropriate managers -- don't cry "virus" in a crowded workplace Let them handle passing the news to the rest of the company in a systematic way.

How can I prevent this virus from getting me?

The best defense against macro viruses as well as any destructive programs is to keep an updated anti-virus program such as McAfee's VirusScan or Norton's Anti-Virus You can download a free trial version from either of the links above (Do NOT use both!!) If you already have these programs, you need to update the files immediately (through their website or the Live Update function) so as to keep your virus lists current and keep you safe.

Next, changing file associations may keep you safe If you have Word installed on your computer, the default program to open any document files (*.doc) is Word! By changing this default program, you might be able to avert any macro virus infection Click here for detailed instructions on how to change that.

The next thing you do is to watch out for any emails that have the subject line:

"Important message from [person's name]."

If there is a document file attached to that email (you'll know by the paperclip symbol next to the person's name), DO NOT OPEN IT!!!! Scan it first with your virus program (make sure the virus information files are updated!!) before you open it If it is infected, delete it immediately Make sure you tell the person whose name is in the From: line that they are infected with this virus Remember, they didn't knowingly send it to you, so don't get upset with them!

But I already have a virus program -- Why didn't it protect me??

Probably because you have not updated your virus information files in quite some time In order for your virus program to protect you, you MUST keep those files current There are approximately 3 new viruses created and launched daily If your virus scan program has information from 1997 as the newest information, you can only imagine how many new viruses that you are not protected against!

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on June 16, 1999