Threat Description

Virus:​W32/Melissa

Details

Aliases: Virus:​W32/Melissa
Category: Malware
Type: Virus
Platform: W32

Summary



A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.



Removal



If your Microsoft Exchange server gets infected, install a Gateway scanner such as F-Secure Anti-Virus for Microsoft Exchange to protect it.

Microsoft has made a free tool available to clean up an infected Exchange mail database at:

  • ftp://ftp.microsoft.com/transfer/outgoing/bussys/mail/melissa-virus.zip


Technical Details



A virulent and widespread computer virus was found on Friday, March 26, 1999. This virus has spread all over the globe within just hours of the initial discovery, apparently spreading faster than any other virus before.

Melissa works with Microsoft Word 97, Microsoft Word 2000 and Microsoft Outlook 97 or 98 e-mail client. You don't need to have Microsoft Outlook to receive the virus in e-mail, but it will not spread itself further without it.

Melissa will not work under Word 95 and will not spread further under Outlook Express.

Melissa can infect Windows 95, 98, NT and Macintosh users. If the infected machine does not have Outlook or internet access at all, the virus will continue to spread locally within the user's own documents.

The details below refer to the Melissa.A variant.

History

The virus spreads by e-mailing itself automatically from one user to another. When the virus activates it modifies user's documents by inserting comments from the TV series "The Simpsons". Even worse, it can send out confidential information from the computer without users' notice.

The virus was discovered on Friday, late evening in Europe, early morning in the US. For this reason, the virus spread in the USA during Friday. Many multinational companies reported widespread infections, including Microsoft and Intel. Microsoft closed down their whole e-mail system to prevent any further spreading of the virus. The number of infected computers is estimated to be tens of thousands so far and it is rising quickly.

"We've never seen a virus spread so rapidly," comments Mikko Hypponen, F-Secure's Manager of Anti-Virus Research. "We've seen a handful of viruses that distribute themselves automatically over e-mail, but not a single one of them has been as successful as Melissa in the real world."

"The virus won't spread much during this weekend. We will see the real problem on Monday morning", continues Hypponen. "When a big company gets infected, their e-mail servers are seriously slowed down and might even crash, as people start to e-mail large document attachments without realising it."

For more information on Melissa, see Global Melissa Information Center at http://www.F-Secure.com/melissa/

Propagation

Melissa was initially distributed in an internet discussion group called alt.sex. The virus was sent in a file called LIST.DOC, which contained passwords for X-rated websites.

When users downloaded the file and opened it in Microsoft Word, a macro inside the document executed and e-mailed the LIST.DOC file to 50 people listed in the user's e-mail alias file ("address book").

The e-mail looked like this:

  • From: (name of infected user)
  • Subject: Important Message From (name of infected user)
  • To: (50 names from alias list)
  • Body: Here is that document you asked for ... don't show anyone else ;-)
  • Attachment: LIST.DOC

Do notice that Melissa can arrive in any document, not necessarily just in this LIST.DOC where it was spread initially.

Most of the recipients are likely to open a document attachment like this, as it usually comes from someone they know.

Infection

After sending itself out, the virus continues to infect other Word documents. Eventually, these files can end up being mailed to other users as well. This can be potentially disastrous, as a user might inadvertently send out confidential data to outsiders.

The virus activates if it is executed when the minutes of the hour match the day of the month; for example, 18:27 on the 27th day of a month. At this time the virus will insert the following phrase into the current open document in Word:

  • "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here".

This text, as well as the alias name of the author of the virus, "Kwyjibo", are all references to the popular cartoon TV series called "The Simpsons". For more information on this connection, see this Simpsons web page:

  • http://www.imada.ou.dk/~jews/TheSimpsonsArchive/episodes/7G02.html

Variant:Melissa.I

The main difference between Melissa.I and Melissa.A is that this variant uses a random number to select subject lines and message bodies of outgoing messages from eight different alternatives:

 1. Subject: Question for you...
 It's fairly complicated so I've attached it.
 2. Subject: Check this!!
 This is some wicked stuff!
 3. Subject: Cool Web Sites
 Check out the Attached Document for a list of some of the best
 Sites on the Web
 4. Subject: 80mb Free Web Space!
 Check out the Attached Document for details on how to obtain
 the free space. It's cool, I've now got heaps of room.
 5. Subject: Cheap Software
 The attached document contains a list of web sites where you
 can obtain Cheap Software
 6. Subject: Cheap Hardware
 I've attached a list of web sites where you can obtain Cheap
 Hardware"
 7. Subject: Free Music
 Here is a list of places where you can obtain Free Music.
 8. Subject: * Free Downloads
 Here is a list of sites where you can obtain Free Downloads.
 
 

In the last subject, the asterisk will be replaced with a random character.

Unlike Melissa.A, this variant uses a different registry key (called "Empirical") to check whenever mass mailing has been done.

Melissa.I contains an additional payload as well. If the number of minutes equals the number of hours, the virus inserts the following text to the active document:

  • All empires fall, you just have to know where to push.

At the same time, the virus clears the mark from the registry causing the mass mail part to be reactivated a soon as a document is opened or closed, a new document is created or the Word is restarted.


Variant:Melissa.O

This Melissa variant sends itself to 100 recipients from each Outlook address book. The E-mail looks like this:

Subject: Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.


Variant:Melissa.U

W97M/Melissa.U is a similar to Melissa.A. Unlike Melissa.A, this variant uses the module name "Mmmmmmm" and it has a destructive payload. This variant deletes the following system files:

  • c:\command.com
  • c:\io.sys
  • d:\command.com
  • d:\io.sys
  • c:\Ntdetect.com
  • c:\Suhdlog.dat
  • d:\Suhdlog.dat

To do this, the virus removes hidden, system, read-only and archive attributes from these files. Unlike W97M/Melissa.A, it sends itself only to 4 recipients. The message itself is also different:

  • Subject: pictures (user name)
  • Body: what's up ?

Where (user name) is replaced with Word's registered user name.

The following texts will be added to every infected document:

  • Loading... No
  • >>>>Please Check Outlook Inbox Mail<<<<<

This variant has been detected since October 13th, 1999.


Variant:Melissa.V

This variant is similar to Melissa.U. This variant sends itself to 40 recipients and the message is different:

  • Subject: My pictures (user name)

The message body is empty, and (user name) is replaced with Word's registered user name. After Melissa.V has mailed itself, it will delete all files from the root of the following drives:

  • M:
  • N:
  • O:
  • P:
  • Q:
  • s:
  • f:
  • I:
  • x:
  • z:
  • H:
  • L:

When this has been done, the virus shows a message box with the following text:

  • Hint: Get Norton 2000 not McAfee 4.02

This variant has been detected since October 13th, 1999.


Variant:Melissa.W

Melissa.W does not lower macro security settings in Word 2000. Otherwise it is functionally equal with Melissa.A.


Variant:Melissa.AO

Melissa.AO uses Outlook to send e-mail message with:

Subject: Extremely URGENT: To All E-Mail User -
Body: This announcement is for all E-MAIL user. Please take
 note that our E-Mail Server will down and we
 recommended you to read the document which attached
 with this E-Mail.
 Attachment:[infected document]

The payload activates at 10 am on 10th day of each month when the virus inserts the following text to the active document:

  • Worm! Let's We Enjoy.





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More