W97M/Melissa Virus Uses Outlook to Spread

What is it?

The W97M/Melissa virus is also known as W97M/Mailissa. It is a Word 97/Word 2000 virus that can use Outlook to increase its spread. This virus infects the class module similiar to the W97M/Class virus.

News:

Recently there have been stories about Melissa spreading under the RTF extension The Rich Text Format cannot contain macros, however, not every document with the RTF extension is a rich text format file. If a doc file is renamed to rtf, the macros inside will still be activated when the file is opened in Word. The WM/CAP virus uses this trick. It will intercept a request to save a file as RTF, and save it as an infected template with the RTF extension. Before CAP, virus scanners didn't scan files with the RTF extension.

There has recently been speculation that the CAP virus has been responsible for documents infected with Melissa being renamed to RTF. In my tests, Melissa samples exposed to CAP were sterile. They did not run. Instead, they displayed the message "Word could not fire event" when opened, and Melissa did not run at all.

Spreading By E-Mail

If a user opens an infected document in Word with macros enabled, the virus will run. It checks if the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? contains the value "... by Kwyjibo". If it doesn't then it opens Outlook(not Outlook Express). Outlook doesn't have to be running when you open the document in Word; it only needs to be installed on the computer and configured to access your mail server. Then it sends the current document to up to 50 people on your Outlook address book. If there is a mailing list in the first 50 addresses, it will be sent to everyone on the mailing list. The message contains the subject "Important Message From [UserName]", the body "Here is that document you asked for ... don't show anyone else ;-)" and contains the infected document as an attachment. Then it sets the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?" to "... by Kwyjibo", so it will only perform the Outlook spreading once per computer.

Spreading in Word

When an infected document is opened in Word it infects the normal template using a method similiar to the ColdApe virus. It spreads to other documents like a normal macro virus and it will resave the document so the user doesn't get the Word prompt "Do you want to save changes..." When an infected document is opened, it first checks the registry for the key that controls Word 2000 macro virus protection. If it's found, it disables the Word 2000 "Macro Security..." command and sets the security to the lowest level. Otherwise, on Word 97 it disables the "Tools Macro" menu command and turns off Word's Virus Protection, turns off Prompt to Save NORMAL.DOT, and turns of Confirm Conversions. If a user has the Word 97 virus protection turned on they will get the macros warning; if they unwisely choose to enable macros, virus protection will be turned off until the user turns it back on. It does not use any backdoor to Word's virus protection, such as the "Active Template" problem. Since it consists of a macro called Document_Open in documents and Document_Close in the Normal Template, it will infect NORMAL.DOT when an infected document is opened and spread to other documents when the document is closed.

Payload

If current day equals the current minute(ie. 8:27 on March 27) then it will insert the text

" Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."

into the document.

It also contains the commments:

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

Virus Spread

This virus was originally posted to alt.sex on March 26 as a list of X-rated sites called LIST.DOC. Therefore, the copies being e-mailed around are usually a Word document containing X-rated sites. Since this virus can also spread to other documents, any Word 97/2000 document with any name can be infected with this virus and sent to nearly everyone on your address book.

Some people have speculated that this virus was created by spammers to advertise the X-rated sites on the list. This is extremely unlikely since this virus was designed to spread to other documents.

Also, it can affect any type of mail server. If 50 people each send it to 50 other people, then that's 2,500 messages. If they send to 50 other people, that's over 1,250,000 messages, enough to overwhelm anybody's server or mailbox. That's assuming that everyone has at least 50 contacts and everyone opens the attachment and has Outlook, which is unlikely to say the least. If it is sent to mailing lists there could be even more messages produced. The point is that a lot of messages can be produced in a short period of time.

Removal

MVK 97 can remove this viruses and other Word 97 viruses automatically. Since it uses the same infection method as W97M/Class it will be detected and removed by MVK as a "Class type virus".

Information about macro viruses.

Virus Page