W97M/Melissa@MM

This page shows details and results of our analysis on the malware W97M/Melissa@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4117 (2001-01-24)

Updated DAT

4117 (2001-01-24)

Minimum Engine

5400.1158

File Length

Description Added

1999-03-26

Description Modified

2002-06-21

Malware Proliferation

Characteristics

Update January 31, 2001:
The Word97 format of this virus is identified by minimum engine 4.0.25 with 4021 DAT files. Due to the Office2001 variant, the minimum engine and DAT has been updatd for this virus profile.

Update January 18, 2001:
McAfee AVERT has received samples of W97M/Melissa@MM in a new file format; this format is Word9 / Office2001 for Mac. Although this file format is specific to Mac Office2001, it can infect a host system running Office97, Office98 (also for Mac) and/or Office2000.

Customers using either Virex 6.1 with the January 2001 update or VirusScan Retail 5.15 with current DAT files do not require any updates. They have the 4.1.30 engine which is needed to detect and clean using the older DAT created a long time ago.

Detection and cleaning was added for this format into 4117 DAT files scheduled to release for January 24, 2001 and requires engine 4.0.70 or greater. This engine is needed for the MAC variant, not for the regular Melissa virus.

The virus is not a MAC virus, it is a macro virus - it can spread on a MAC machine, and on a PC, it replicates as a regular macro virus. It doesn't mass-mail on MAC, it does on PC. Concerned users can inquire with McAfee AVERT for update information and for EXTRA.DAT availability - refer to localized contact information.

-------------------------------------------------------------------

This is a macro virus for Word97 documents and templates, and is also famous for its use of email propagation using MS Outlook! This virus was first posted to several newsgroups on March 26, 1999. This virus will infect Office97 systems which have been updated to SR1 update and above.

This virus uses a self-check method to check for a setting in the registry to test if the system has already been infected. This virus also sets macro security level to low security in Office2000. If the value

HKCU\Software\Microsoft\Office\9.0\Word\Security\"Level"

is not null, the code instructions will disable the "TOOLS/MACRO/SECURITY" menu option in Word2000. Otherwise Word97 menu option "TOOLS/MACRO" is disabled.  

This virus creates an Outlook object using Visual Basic instructions and reads the list of members from the address book. An email message is created and sent to the list of first 50 recipients created with the subject "Important Message From " Application.UserName, with a body text of "Here is that document you asked for ... don't show anyone else ;-)". The active infected document is attached and the email is sent. The content of the document is a list of pornographic web sites.

This virus creates an entry in the registry-
HKCU\Software\Microsoft\Office\
"Melissa?" = "... by Kwyjibo"

Comments inside the macro virus which are never shown:

'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

Symptoms

Sending email messages via Outlook as mentioned above, text inserted into documents as mentioned above, macro warning when opening infected documents on a non-infected system, registry modifications as mentioned above.

Method of Infection

Opening infected documents will directly infect the local Word environment and any document used thereafter.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

W97M/Melissa.o
W97M/Melissa.gen@MM
W97M/Melissa.bp@MM