The W97M.Melissa Word macro virus has been seen within the DOE complex. This macro virus uses two methods of infection. First, it infects the Word 97 (or 2000) program (normal.dot template) and all subsequent documents edited with Word. Second, it uses the Outlook 98 (or 2000) e-mail program to mail copies of the infected document to the first 50 people in each of your Outlook address books. If Outlook 98 or Outlook 2000 is not installed, the second method of infection does not work but the first method still does.
The virus attaches to Word objects in Word 97 and Word 2000. Because of this method of infection, this virus will not infect older versions of Microsoft Word. When an infected document is opened, the virus checks to see if Word 97 or Word 2000 is installed, disables the Macro toolbar, and then disables the following Word 97 options (different options in Word 2000):
Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.
Disabling these options makes it difficult to detect the virus in action. The virus next checks the value of the private registry string:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that string is not equal to "... by Kwyjibo" the virus sends copies of the infected document to the first 50 people in each of your Outlook address books and then sets the registry key so it does not do this again. It sends copies of the infected document to others by opening a connection to Microsoft Outlook and creating an e-mail message with the subject:
Important Message From (username)
where (username) is replaced with the current Word user's name (Tools, Options command, User Information tab). The body of the message contains the following text:
Here is that document you asked for ... don't show anyone else ;-)
The virus then inserts the first 50 users from your first Outlook address book, attaches the infected document and sends the message. It performs this process again for each of the address books you have defined in Outlook.
After sending itself to the people in your address books, the virus checks to see if it is running on a document or the Normal.dot template. If it is running on a document, it infects the Normal.dot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document you work on as soon as you close them. If you share these documents with anyone, you will spread the virus.
Finally, it has a small payload. If the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document.Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
Note: we have been informed that the word Kwyjibo and the text inserted into the document are from a Bart Simpson episode where Bart wins a Scrabble game with the word Kwyjibo.
Download Melissa Source code here.
The virus attaches to Word objects in Word 97 and Word 2000. Because of this method of infection, this virus will not infect older versions of Microsoft Word. When an infected document is opened, the virus checks to see if Word 97 or Word 2000 is installed, disables the Macro toolbar, and then disables the following Word 97 options (different options in Word 2000):
Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.
Disabling these options makes it difficult to detect the virus in action. The virus next checks the value of the private registry string:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that string is not equal to "... by Kwyjibo" the virus sends copies of the infected document to the first 50 people in each of your Outlook address books and then sets the registry key so it does not do this again. It sends copies of the infected document to others by opening a connection to Microsoft Outlook and creating an e-mail message with the subject:
Important Message From (username)
where (username) is replaced with the current Word user's name (Tools, Options command, User Information tab). The body of the message contains the following text:
Here is that document you asked for ... don't show anyone else ;-)
The virus then inserts the first 50 users from your first Outlook address book, attaches the infected document and sends the message. It performs this process again for each of the address books you have defined in Outlook.
After sending itself to the people in your address books, the virus checks to see if it is running on a document or the Normal.dot template. If it is running on a document, it infects the Normal.dot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document you work on as soon as you close them. If you share these documents with anyone, you will spread the virus.
Finally, it has a small payload. If the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document.Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
Note: we have been informed that the word Kwyjibo and the text inserted into the document are from a Bart Simpson episode where Bart wins a Scrabble game with the word Kwyjibo.
Download Melissa Source code here.
0 comments:
Post a Comment