dalfriendnew.jpg (26257 bytes)
     [Home] [History] [Msg Board] [Photo Album] [Irc-Help] [Tips] [Internet Survival]    
[FFALP] [Rules] [Info] [Mp3] [Links] [Downloads] [Guestbook] [Contact] [About]

Welcome to the #DalFriends Web Site!

home

history

msgboard.gif (3921 bytes)

photo album

IRC-Help

tips.gif (3836 bytes)

Internet_survival.gif (4027 bytes)

rules.gif (3869 bytes)

info.gif (3837 bytes)

Mp3

links

downloads.gif (4002 bytes)

guestbook.gif (3987 bytes)

Contact

About

 


Melissa

Macro.Word97.Melissa

This macro virus replicates under Word 8 and Word 9 (Office97 and Office2000), infects Word document and templates, and sends its copies in Email messages. The virus has trigger routine, changes the system registry, disables Word macro-virus protection.

The virus is able to spread to Office2000 (Word ver.9) documents. This possibility is based on Office "convertation" feature. When new Office version opens and loads documents and templates created by previous Word versions, it converts data in documents to new formats. The macro program in files are also converted, including virus macros. As a result the virus is able to replicate itself under Office2000.

In case the virus is run in Office2000 it performs additional action it disables (sets to minimal level) Office2000 security settings (anti-virus protection).

The virus code contains one module named "Melissa" with one auto- function in it "Document_Open" in infected documents, or "Document_Close" in NORMAL.DOT (global macros area). The virus infects the global macros area on an infected document opening, and spreads to other documents on their closing. To infect documents and templates the virus copies its code line-by-line from infected object to victim one. In case the NORMAL.DOT is being infected, the virus names its program in module as "Document_Close", when the virus copies its code from NORMAL.DOT to a document, the virus names it "Document_Open". As a result the virus installs itself into the Word application at the same time infected document is opened, and affects other documents only when they are closed.

To send its copies in email messages the virus uses VisualBasic abilities to activate other Microsoft applications and use their routines the virus gets access to MS Outlook and calls its functions. The virus gets the addresses from Outlook database and sends to all of them a new message. This message has:

The subject "Important Message From [UserName]" (UserName is variable)

Message body "Here is that document you asked for ... don't show anyone else ;-)"

The message also has attached document (needless to say that it is infected) - the virus attaches the document that is being edited now (active document). As a side effect of this way of spreading the user's documents (including confidential ones) can be sent out to the Internet.

The virus sends infected emails only one time. Before sending the virus checks system registry for its ID stamp:

HKEY_CURRENT_USER\Software\Microsoft\Office\ "Melissa?" = "... by Kwyjibo"

If this entry does not exist, the virus sends e-mails from infected computer, and then creates this entry in the registry. Otherwise the virus jumps over the email routine. As a result the virus sends infected email messages only once on next attempts it locates the "Melissa?=" entry, and skips it.

The virus also have trigger routine that is activated if current day number is equal to current minutes, each time virus macros get control. This routine inserts the text into the current document:

Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.

The virus have the comments WORD/Melissa written by Kwyjibo Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus?
You Decide! Word -> Email | Word 97 <--> Word 2000 ... it's a new age!