A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
If your Microsoft Exchange server gets infected, install a Gateway scanner such as F-Secure Anti-Virus for Microsoft Exchange to protect it.
Microsoft has made a free tool available to clean up an infected Exchange mail database at:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
A virulent and widespread computer virus was found on Friday, March 26, 1999. This virus has spread all over the globe within just hours of the initial discovery, apparently spreading faster than any other virus before.
Melissa works with Microsoft Word 97, Microsoft Word 2000 and Microsoft Outlook 97 or 98 email client. You don't need to have Microsoft Outlook to receive the virus in email, but it will not spread itself further without it.
Melissa will not work under Word 95 and will not spread further under Outlook Express.
Melissa can infect Windows 95, 98, NT and Macintosh users. If the infected machine does not have Outlook or internet access at all, the virus will continue to spread locally within the user's own documents.
The details below refer to the Melissa.A variant.
The virus spreads by emailing itself automatically from one user to another. When the virus activates it modifies user's documents by inserting comments from the TV series "The Simpsons". Even worse, it can send out confidential information from the computer without users' notice.
The virus was discovered on Friday, late evening in Europe, early morning in the US. For this reason, the virus spread in the USA during Friday. Many multinational companies reported widespread infections, including Microsoft and Intel. Microsoft closed down their whole email system to prevent any further spreading of the virus. The number of infected computers is estimated to be tens of thousands so far and it is rising quickly.
"We've never seen a virus spread so rapidly," comments Mikko Hypponen, F-Secure's Manager of Anti-Virus Research. "We've seen a handful of viruses that distribute themselves automatically over email, but not a single one of them has been as successful as Melissa in the real world."
"The virus won't spread much during this weekend. We will see the real problem on Monday morning", continues Hypponen. "When a big company gets infected, their email servers are seriously slowed down and might even crash, as people start to email large document attachments without realising it."
For more information on Melissa, see Global Melissa Information Center at http://www.F-Secure.com/melissa/
Melissa was initially distributed in an internet discussion group called alt.sex. The virus was sent in a file called LIST.DOC, which contained passwords for X-rated websites.
When users downloaded the file and opened it in Microsoft Word, a macro inside the document executed and emailed the LIST.DOC file to 50 people listed in the user's email alias file ("address book").
The email looked like this:
Do notice that Melissa can arrive in any document, not necessarily just in this LIST.DOC where it was spread initially.
Most of the recipients are likely to open a document attachment like this, as it usually comes from someone they know.
After sending itself out, the virus continues to infect other Word documents. Eventually, these files can end up being mailed to other users as well. This can be potentially disastrous, as a user might inadvertently send out confidential data to outsiders.
The virus activates if it is executed when the minutes of the hour match the day of the month; for example, 18:27 on the 27th day of a month. At this time the virus will insert the following phrase into the current open document in Word:
This text, as well as the alias name of the author of the virus, "Kwyjibo", are all references to the popular cartoon TV series called "The Simpsons". For more information on this connection, see this Simpsons web page:
Variant:Melissa.I
The main difference between Melissa.I and Melissa.A is that this variant uses a random number to select subject lines and message bodies of outgoing messages from eight different alternatives:
1. Subject: Question for you... It's fairly complicated so I've attached it. 2. Subject: Check this!! This is some wicked stuff! 3. Subject: Cool Web Sites Check out the Attached Document for a list of some of the best Sites on the Web 4. Subject: 80mb Free Web Space! Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room. 5. Subject: Cheap Software The attached document contains a list of web sites where you can obtain Cheap Software 6. Subject: Cheap Hardware I've attached a list of web sites where you can obtain Cheap Hardware" 7. Subject: Free Music Here is a list of places where you can obtain Free Music. 8. Subject: * Free Downloads Here is a list of sites where you can obtain Free Downloads.
In the last subject, the asterisk will be replaced with a random character.
Unlike Melissa.A, this variant uses a different registry key (called "Empirical") to check whenever mass mailing has been done.
Melissa.I contains an additional payload as well. If the number of minutes equals the number of hours, the virus inserts the following text to the active document:
At the same time, the virus clears the mark from the registry causing the mass mail part to be reactivated a soon as a document is opened or closed, a new document is created or the Word is restarted.
Variant:Melissa.O
This Melissa variant sends itself to 100 recipients from each Outlook address book. The email looks like this:
Subject: Duhalde Presidente Body: Programa de gobierno 1999 - 2004.
Variant:Melissa.U
W97M/Melissa.U is a similar to Melissa.A. Unlike Melissa.A, this variant uses the module name "Mmmmmmm" and it has a destructive payload. This variant deletes the following system files:
To do this, the virus removes hidden, system, read-only and archive attributes from these files. Unlike W97M/Melissa.A, it sends itself only to 4 recipients. The message itself is also different:
Where (user name) is replaced with Word's registered user name.
The following texts will be added to every infected document:
Loading... No >>>>Please Check Outlook Inbox Mail<<<<<
This variant has been detected since October 13th, 1999.
Variant:Melissa.V
This variant is similar to Melissa.U. This variant sends itself to 40 recipients and the message is different:
The message body is empty, and (user name) is replaced with Word's registered user name. After Melissa.V has mailed itself, it will delete all files from the root of the following drives:
When this has been done, the virus shows a message box with the following text:
This variant has been detected since October 13th, 1999.
Variant:Melissa.W
Melissa.W does not lower macro security settings in Word 2000. Otherwise it is functionally equal with Melissa.A.
Variant:Melissa.AO
Melissa.AO uses Outlook to send email message with:
Subject: Extremely URGENT: To All email User - Body: This announcement is for all email user. Please take note that our email Server will down and we recommended you to read the document which attached with this email. Attachment:[infected document]
The payload activates at 10 am on 10th day of each month when the virus inserts the following text to the active document: