WD2000: "Melissa" Word Macro Virus Alert

ID: Q224506

The information in this article applies to:

Microsoft Word 2000
Microsoft Outlook, versions 2000, 98

SUMMARY

This article contains important information about the Word macro virus called "Melissa". The following topics are covered in this article:

Whom can the virus affect?
What is the "Melissa" macro virus?
Will Word 2000 protect my computer from this and other macro viruses?
How do I ensure the Word macro virus protection is turned on?
How do I ensure my computer will not be infected?
What should I do if my computer has been infected by this virus, or I think it has been infected?
What if I have more questions about macro viruses?

MORE INFORMATION

On March 26, 1999, Microsoft was made aware of a Word macro virus W97M/Melissa.A (dubbed "Melissa") that has affected a number of users and companies. As with all security issues, Microsoft takes this very seriously, and because of the widespread nature of this particular virus, Microsoft is taking steps to proactively notify our customers to help minimize its impact. By taking the necessary precautions, you can ensure it does not affect your computer.

Whom can the virus affect?

This virus can affect people who are using Word with Outlook version 98 or version 2000. If you do not use this software, this particular virus does not affect your computer.

What is the "Melissa" macro virus?

It is a Word macro virus delivered via e-mail in an attached Word document. The e-mail message contains the subject line "Important Message From "UserName" and/or contains the message body "Here is that document you asked for ... don't show anyone else ;-)". If the attached Word document is opened and the macro virus is enabled (that is, it is allowed to run), it can propagate itself by sending e-mail with the infected document to a number of recipients. The virus reads the list of members from each Outlook Address Book and sends an e-mail message to the first 50 recipients programmatically.

The name of the original infected Word document is List.doc, but this could be changed to any name. After the virus has been enabled and allowed to run, it can infect your default template (Normal.dot). New documents are based on the Normal.dot template, so they too can become infected. In this scenario, you could create a new document, send or give the file to someone, and their computer could then become infected. The virus would then attempt to send your document (instead of the original infected List.doc file) out to 50 recipients from each Outlook Address Book.

This virus does not appear to destroy data. If the current day of the month equals the minute value of the current time, and the infected document is opened, the following text is inserted at the current insertion point position:

Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.

Will Word 2000 protect my computer from this and other macro viruses?

Yes. Word 2000 will protect you from macro viruses including this one, provided the High Security Level or Medium Security Level is enabled (High is the default setting). With High security enabled, every time you open a Word document that contains macros, only digitally signed macros from trusted sources are allowed to run.

For more information about Security Protection, click Microsoft Word Help on the Help menu, type "Security" in the Office Assistant or the Answer Wizard, and then click Search to view the topics returned.

IMPORTANT NOTE: Authentication and verification of digital signatures requires Internet Explorer 4.x or later. On systems that cannot perform authentication, you should always disable macros when you are not certain of their purpose or functionality. By choosing to disable the macros, you prevent this and any macro virus from running, rendering them harmless. The virus is only activated if you open the attached Word document and choose to enable the macros or if your macro Security Level is set to Low.

How do I ensure the Word 2000 macro virus protection is turned on?

Double-click the Tools menu, point to Macro, and then choose Security.

Select the level of security you want. High security allows only macros that have been signed to open. Unsigned macros are automatically disabled. Medium security always brings up the macro protection dialog box that allows you to disable macros if you are unsure of the macros.

IMPORTANT NOTE: If you are not able to follow the steps above because you cannot find the menu items, your computer may already be infected. If so, run anti-virus software containing the latest update and scan your system often. Support for this particular virus is already available from a number of anti-virus vendors. If you are not able to run anti-virus software, it will be necessary to delete or rename your Normal.dot file. This is the Word global template that is automatically recreated after Word is started. After this is done, repeat the steps above.
For additional information about deleting or renaming the Normal.dot template, please see the following article in the Microsoft Knowledge Base:

Q181079 WD97: What to Do If You Have a Macro Virus

How do I ensure my computer will not become infected?

Ensure the Office macro security levels are set High or Medium as described above. Always choose Disable Macros when asked, if you are unsure of the purpose of the macro in the document. Doing so still allows you to open the document and read its contents.

Run the latest anti-virus software, and scan often. This is how you can ensure that the macros in documents are safe. Disinfectors for this particular virus are already available from a number of anti-virus companies. Also remember to keep your anti-virus software up to date by installing the latest signature files for that company. (Most companies creating anti-virus applications release a new signature file each month.)

For additional information about a utility to sanitize the Exchange Server information stores, please see the following Microsoft Knowledge Base article:

Q224436 XADM: Word Macro Virus Alert "Melissa Macro Virus"

What should I do if my computer has been infected by this virus, or I think it has been infected?

Run anti-virus software containing the latest update, and scan your system often. Support for this particular virus is already available from a number of anti-virus companies.

Ensure your Office macro security levels are enabled at High or Medium levels. After the virus has been allowed to run, it will disable the virus protection in Word. Remember to make sure Office security is enabled at these levels by performing the steps listed above.

What if I have more questions about macro viruses?

Visit the Microsoft anti-virus Web site to learn more about macro viruses.

For additional information about macro viruses, the "Melissa" virus, and vendors of anti-virus software, please see the following articles in the Microsoft Knowledge Base:

Q49500 List of Anti-Virus Software Vendors

Q163932 WD97: Frequently Asked Questions About Word Macro Viruses

Or try the following Web sites:

Office Update - Anti-Virus Center

Office Update - Word Macro Virus Alert

CERT - Computer Emergency Response Team

FBI - Federal Bureau of Investigation

CIAC - Computer Incident Advisory Capability

NIPC - National Infrastructure Protection Center, and the FBI.

Additional query words: infected disinfect protect protected infect prank


Keywords          : kbdta wd2000 
Version           : WINDOWS:2000,98
Platform          : WINDOWS 
Issue type        : kbinfo

Last Reviewed: May 13, 1999