Melissa Macro Virus Alert

ID: Q224436

The information in this article applies to:

Microsoft Outlook 98
Microsoft Word 97 for Windows

SUMMARY

The Melissa Word macro virus has the ability to spread rapidly and, under some circumstances, to send sensitive documents outside of the organization. If the volume of generated mail is large enough, the Melissa virus can create a mail storm that can seriously impact your business' systems.

MORE INFORMATION

What Is It and What Does It Do

If an antivirus solution is not in place when a user opens an infected Word document using Word and the user then enables macros, the Melissa macro will start and perform several unwanted actions on the user's computer:

It lowers macro security settings.

Adds its own registry setting.

Infects the Word Normal.dot template file.

If able, sends e-mail message copies of itself to the first 50 entries of every MAPI address book the user has configured.

Originally, the virus was spread in a file attachment called List.doc, which contained references to pornographic Web sites. However, the users may see their own documents going out as attachments because the infection can also be passed on through an infected Normal.dot template.

E-mail is not required to spread the virus, although e-mail will account for the largest percentage of the spread. Simply sharing an infected Word document is enough.

It is important to note that opening an e-mail message containing a document with the virus does not launch the virus. The virus is started when the user opens the Word document and chooses to enable macros.

For more specific details, see your antivirus vendor's Web site. The References section of this article contains links to several anti-virus Web sites.

Combating the Virus

Alert and Educate Your Users

Let your users know through whatever methods work best for your company that they should delete any messages with a subject line of "Important Message From username" where "username" is a variable based on who the virus's last victim was.

If you open a mail message with the "Important Message From username" or any other subject and find an attachment and text saying "Here is that document you asked for ... don't show anyone else ;-)" you should not open the attachment, but delete the message immediately.

Let your users know how to set up rules in their clients to automatically delete any incoming mail containing an attachment and "Important Message From" in the subject line.

Tell your users how to verify the virus definition level of whatever antivirus software they are running at the desktop. Clearly communicate where and how to get updates that handle the Melissa virus.

Isolate and Clean Up

Shut down gateways and message transfer agents (MTA) to other sites or organizations until you can clean up possible infection within your organization or site, and be sure measures are put in place to intercept any future infected mail from passing through your systems.

Desktop Strategies

Make sure that every desktop in your organization is running anti-virus software and has an updated virus definition that contains fixes for the Melissa virus. This will have the strongest impact of any step you can take, as it prevents any further spread whether by e-mail or simple file transfer. Most antivirus vendors posted updates within a half day of the first reported Melissa infection.

Educate your users to disable all macros unless they must run a macro to get their work done.

For more details, please see the following address:

http://officeupdate.microsoft.com/articles/macroalert.htm

For more details on how macros work and how they can be controlled in the Microsoft Office environment, please see the following Microsoft Knowledge Base article:

Q224567 WD97: Word Macro Virus Alert "Melissa Macro Virus"

Server Strategies

Because the virus sends mail to the first 50 users in each address book, 50 temporary null address book entries should be added to the top of the Global Address List and all other address containers which could be used for name resolution.

All SMTP or other entry points to your messaging system should scan all inbound and outbound documents andattachments. If you have not yet implemented a solution at this level, you should temporarily drop your connections to prevent spreading the virus until a solution can be put into place.

Cleaning Up Melissa at the Exchange Server Computers

The following steps and tools are not long-term solutions but have been provided by Microsoft in the short term to provide temporary relief to systems until such time as more long-term solutions can be developed and implemented. These solutions and tools are provided "as is" without warranty of any kind. Microsoft strongly recommends that you fully back up any system before performing these operations.

Removing Melissa from Information Stores

You can remove mail messages that contain attachments and a subject line you supply from an Exchange information store by using the utility, Message Store Sanitizer (Mss.exe). You can obtain a copy at the following address:

ftp://ftp.microsoft.com/transfer/outgoing/bussys/premier/Melissa/MSS/

Removing Melissa from MTA Databases

If your Exchange MTAs are experiencing significant backlogs because of a mail storm caused by the Melissa virus, you can use the tools and procedure outlined at the address listed below to remove any Melissa mail that is currently in the MTA database.

ftp://ftp.microsoft.com/transfer/outgoing/bussys/premier/Melissa/MTA

Removing E-mail from Internet Mail Connectors

You can use the tools and procedures at the following address to pull Melissa e-mail messages out of various queues within your Internet Mail Connectors, although Microsoft recommends that you consider a more leveraged or longer term solution as described later in the article.

ftp://ftp.microsoft.com/transfer/outgoing/bussys/premier/Melissa/IMC

Intercepting Melissa Mail at Gateways

To prevent further spread of the Melissa virus, both internally and externally, you should implement some form of protection on all your mail gateways.

The Computer Emergency Response Team (CERT) has posted sendmail and other solutions. In addition, you should consult your antivirus vendor. Be sure any virus package you run against an Exchange Server is specifically Exchange-aware. Programs or versions that are not Exchange-aware have been linked to data corruption and performance issues on Exchange Servers.

Cleaning up Melissa at the Desktop

Your users can use the Microsoft Client Side Scanning Software version 1.0 to set or reset macro warnings, modify Normal.dot if needed, and scan their local .pst files.

The utility is used only for scanning and detection purposes for the specific Melissa virus characteristics. Individual users must run it as the utility relies on a user messaging profile to access client-side mail stores.

Important: This software inspects your client-side mail stores for the characteristics of the Melissa virus. It will set the registry settings for macro warning to True when run. It will not delete, destroy, mark, or otherwise attempt to identify or alter individual objects in your personal mail store. This utility will either alert the user to the possible presence of a virus or provide a measure of confidence that the client mail stores are do not contain attachments with the characteristics of the Melissa virus.

This is not a virus scanning utility. There is still a possibility that a virus matching the characteristics of Melissa could not be discovered. Microsoft encourages you to implement or update a commercially tested anti-virus desktop solution.

The utility is available from the Microsoft ftp site at:

ftp://ftp.microsoft.com/transfer/outgoing/bussys/premier/Melissa/PST

REFERENCES

For more information on this and other viruses, contact one or more of these resources.

CERT - Computer Emergency Response Team

http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

FBI - Federal Bureau of Investigation

http://www.fbi.gov/nipc/w97melissa.htm

CIAC - Computer Incident Advisory Capability

http://www.nipc.gov/nipc/w97melissa.htm

NIPC - National Infrastructure Protection Center, and the FBI

http://www.ciac.org/ciac/bulletins/j-037.shtml

For a list of anti-virus software vendors and information on how to contact them, please see:

Q49500 List of Anti Virus Software Vendors

Additional query words: infected disinfect protect protected infect prank w97m melissa.a 98 OL2000


Keywords          : kbdta 
Version           : WINDOWS:97
Platform          : WINDOWS 
Issue type        : kbhowto

Last Reviewed: April 19, 1999