Image: Zombie Pinup by ferrari28
© 2013 Margaret Hillary. All Rights Reserved.
Who is the Malicious Melissa?
The name “Melissa” is a Greek derivative denoting, “Honey Bee”. Like her name, this deceptively sweet virus packs a poisonous sting scathing Outlook (Excluding Outlook Express)/Word (with the exception of Word ’95 and prior versions), users with her nasty stealth virus. Created by David L. Smith, Microsoft Outlook/Word users were hit with one of the top lethal viruses – inspired by a Florida dancer. Because she was the first virus proficient in “buzzing” from one machine to another autonomously, “W97M/Melissa.A” was the first array of Melissa outbreaks for the programs Word & Outlook 2000 and Outlook1998.
Essentially, she appears as a spoof email, sweetly tempting victims into, “Important Message from (the name of someone the recipient is acquainted with),” which encompasses an enticing body text proclaiming, “Here is that document you asked for…don’t show anyone else ;-)”.
It is precisely in this pathological Word doc attachment, dubbed “LIST.DOC”, which contains this vicious virus; however, wouldn’t you know, this name can be renamed! If the Word doc is enabled (opened), the virus file is read into to the computer storage that encompasses a visual basic script. Copying into the normal.dot template file (which is employed by Word for revision), this sneaky malware injects the virus file into the very settings and default macros of the word doc. It generates the code, “HKEY_CURRENT_USERSoftwareMicrosoftOffice”Melissa?”=”…by Kwyjibo” recording directly into Window’s log.
Subsequent to its Microsoft Word doc template and macros infection, she then attacks the first 50 Outlooks recipients in each Outlook Global Address Book; sending out the virus to potentially poisoning the victim’s contacts. Each infected email contains the virus in a Word attachment for a finite outbreak which multiplies by assimilating into additional files at every run of the host program and can deactivate certain security safeguards. Essentially, you can generate a new viral document, give the word doc to another person or send it via email. And because this is a true virus, this malicious virus demands a host to accurately “run” (become infected) – in this case, our host is an infected Word doc. Although one isn’t required to own Microsoft Outlook to accept the virus via e-mail; she cannot possibly spread further outside of Outlook, however soil internal documents locally. But watch out Windows 95, 98, NT and Macintosh users, you are not immune – you can be infected too!
Inspired by the game of Scrabble and Bart Simpson, a bundle of text (data transmissions) appears at the mouse marker point stating, “Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game’s over. I’m outta here,” only when the day of the month is equivalent to its minute value. Very funny.. ha-ha! (Not!)
This initially caused quite the epidemic transpiring the fasted distributed virus known to that date, forcing Microsoft Corporation to close all incoming emails on March 26, 1999. Because of the nature and severity of this virus, other companies such as Intel were affected in which the U.S. Department of Defense CERT team declared a breach and developed patches for restoration. Where she does not essentially abolish documents or additional assets, she can impose impending incapacitating effects on business email servers, terminating email communication (one of our most exclusive means of communication at work) if not patched; literally bringing business communication to its knees. In fact, a Congress FBI official declared that Melissa “wreaked havoc on government and private sector networks”.
Melissa contains variants as well!
Behold, Melissa.I, the infection which uses diverse email subject and body messages based on a random number. This variation uses an empirical archive key which elects a list of messages. To view an example, please go here: http://www.f-secure.com/v-descs/melissa.shtml.
The asterisk in subject 8 will essentially be replaced by a different character.
Melissa.O can propagate up to 100 email contacts which appear similar to:
Subject: Duhalde PresidenteBody: Programa de gobierno 1999 – 2004.
Using the file name “”Mmmmmmm”, the venomous W97M/Melissa.U obstructs the following system files: c:\io.sys, c:\command.com, d:\io.sys, c:\Suhdlog.dat, d:\Suhdlog.dat, and c:\Ntdetect.com. Yikes! Although she only sends to four recipients, she eradicates system, hidden, archived, and read-only attributes from those documents.
Below is how her email will appear:
Subject: pictures (user name)
Body: what’s up ?
Instead of infecting 50 recipients, Melissa.V sends to 40 utilizing the subject line, “My pictures (user name).” Discovered on October 13, 1999, the body appears altered as well. She uses an empty body and the user name is replaced with the Word’s register user name. Once she is mailed, she then proceeds to erase all root records from these drives: F,H-I, L-Q, S, X, and Z.
After she has deleted all files from these root drives, she then generates a message box stating, “Hint: Get Norton 2000 not McAfee 4.02”.
Utilizing outlook with the following message, Melissa.AO makes a tremendously vital case to open the attachment. PLEASE DON’T! Take a peek at this sneaky message at this web address: http://www.f-secure.com/v-descs/melissa.shtml
Who she can infect:
- Microsoft Word – 97and 2000 Programs
- Microsoft Outlook – 97 and/ or 98 e-mail client
- Windows 98, NT and Macintosh users
How to Avoid Melissa:
Be sure you are cautious of opening attachments, remember, viruses need a host! Review these notes and any of the subject lines listed from the various Melissa viruses (Normally 40 kilobyte doc titled LIST.DOC) DO NOT OPEN! If you feel as though you received a Melissa virus email, delete the email immediately. Compose an email to the sender you received the Melissa email from and let them know they have been infected. She can only infect you if you open her attachment! Don’t let her propagate.
Also, ensure your security by going to Tools, then to Macro, and then select Security. To guarantee security, HIGH safeguard will only permit macros that have been elected to be opened. MEDIUM will prompt a message that permits the incapacitation of a macro if not sure of the suspect macros. Scan your computer frequently and keep current with the latest antivirus software. (This is a must!)
If, by chance you cannot execute these instructions, you might be infected.
How to Patch:
If you feel you are infected by her malicious virus, always, always run your latest antivirus software! Look to an antivirus company for support in removing it (this is their job!) Repeat prior instructions by setting your macros security levels. And if all else fails, refer to this article from Microsoft that will assuredly assist with further questions or concerns. http://support.microsoft.com/kb/224506
Dick, Ronald (2001). The Federal Bearu of Investigation – Testimony: “Before the House Energy and Commerce Committee, Oversight and Investigation Subcommittee – Washington, DC”. http://www.fbi.gov/news/testimony/issue-of-intrusions-into-government-computer-networks
F-Secure (Unknown). Virus:W32/Melissa http://www.f-secure.com/v-descs/melissa.shtml
Microsoft (2012). General information about the “Melissa” Word macro virus that affects Word 2000, Outlook 2000, and Outlook 98 http://support.microsoft.com/kb/224506
Strickland, Jonathan. “10 Worst Computer Viruses of All Time” 26 August 2008. HowStuffWorks.com. http://computer.howstuffworks.com/worst-computer-viruses.htm> 04 September 2013.