Korova Multimedia

Up to the "Hoax du Jour" home page
(home page)

Updated info!

CERT Advisory CA-99-04

CIAC Bulletin J-037

Hoax du Jour tips on protecting yourself against "Melissa"
(updated April 04, 1999!)

"Word Macro Virus Alert (Melissa)"
"Word 97 Template Vulnerability" Bulletin
Word 97 Template Security Patch

Microsoft Knowledge Base:
No Macro Warning Opening File Attached to Template
FAQ About Word Macro Viruses
What to Do If You Have a Macro Virus

Public links to this specific article:
Also: this page, print-friendly

Got a question? Try
"The FAQ du Jour"

Previous "Hoax du Jour" columns

The "Hoax du Jour" Index

A More Wretched Hive of Scum & Villainy

Children's Crusade

Lingering Misinformation

Viral marketing is Now.

The Grinch is Real

Call Now!
(Int'l phone scams)

"You're Never Gonna Believe This..."

The Word Macro Spam 'Bot

Calls to Overreaction

Remote Explorer of My Eye

Internet Access Charges & Taxation

The Fear of AIDS (Needles)

Toxic Tampons

Death Threats and Disney Trips

The AOL Hacker Riot II

The "90# Phone Scam" Alert

E-j-mail Extortion

Phone Slamming

AOL Cookie

Click here for the "Hoax du Jour" top-level page.

Related topic: you know what e-mail is. But do you know what "e-v-mail" is?

Related topic: rate your own Internet alert (or just-received warning from a well-meaning friend) against the Korova Drop-dead Internet Alert guide.

Computer virus protection If you're not using anti-virus software, you need to consider getting some, and soon. Click here to choose some from Amazon.com. If you're connected to the Internet with an "always on," broadband connection (cable modem or DSL), consider getting some firewall software, or a hardware solution for your entire home network.

About the "Hoax du Jour"

The "Hoax du Jour" is a recurring column providing updated information and commentary on the Internet community. It is a feature of Korova Multimedia's "e-v-mail" page.

What is a "hoax du jour?" With the advent of widespread use of the Internet as a medium for sharing information, the phenomenon of sharing misinformation has exploded. Conventional urban folklore and propaganda have blossomed on the Internet. Intentionally misleading information is broadcast on a professional and personal level.

On the Web, misinformation wants to be free. It also likes to be free of authenticity and corroboration, when such grounding deflates the credibility of the content.

The result? Naive users of the Internet are subjected to a daily barrage of data that are erroneous, slanderous, and sometimes even destructive. This page is dedicated to discussing intentional misinformation, or 'Net hoaxes.

Disclaimer The opinions expressed here are entirely my own, and do not reflect policy or intentions of any persons, groups or companies referred to or linked from this site. I, my guest writers, or Korova Multimedia are not responsible for content or sites linked to from the "Hoax du Jour" column.

Kudos and links for
the "Hoax du Jour"

("Best of the Net")

Computer Virus Myths

The Curse of a Thousand Chain Letters

Lycos Guide: Urban Legends
(Top Rated Site)

The Motley Fool
("striking a blow for rationality")

(March, 2001)

("three stars")

Also on Korova.com

Clean the hoax-y taste from your mouth with Nonstop Anonymous Monotonous Onomatopoeia, just for fun.

Get a fresh perspective with Korova Truth.

Think outside, way outside, of the box at ChromeJob.com.

Other anti-hoax resources

Korova Multimedia: "e-v-mail"

Rob Rosenberger:
Computer Virus Myths

DoE CIAC - Hoaxbusters

Barbara Mikkelson:
Urban Legends Reference Pages

David Emery:
About.com guide to Urban Legends & Folklore

HoaxKill Service

Urban legend and computer security books

by Jan Harold Brunvand
Click to order this title from Amazon.com
The Baby Train
The Choking Doberman
Curses! Broiled Again!
The Mexican Pet
The Truth Never Stands In The Way Of A Good Story

Computer Security Basics (O'Reilly)

... or search Amazon.com for more books about hoaxes and urban legends...

Sponsor links:

March 29, 1999     

"Measure by measure, drop by drop
And pound for pound we're taking stock
Of all the treasures still unlockedů"

Echo and the Bunnymen, "Never Stop"

The dust has hardly settled on Network Associates Inc. (NAI) charge onto the Internet, heralding danger to the entire 'Net with the WinNT worm, "Remote Explorer." (See my previous "Hoax du Jour," Remote Explorer of My Eye.) NAI was at it again last Friday, beating the bushes (and media reporters) with the hysterical news that a malicious "e-mail virus" was threatening the computing world.

Epidemic virus infects corporate e-mail
'Melissa' virus wreaks havoc with company e-mail.
March 26, 1999 6:07 PM PT; updated 6:42 PM PT

"The proliferation of this virus is something we've never seen before," said Srivats Sampath, a general manager at Network Associates. He said that 60,000 people at one company had been affected. He refused to identify the company.

Mary Jo Foley, Sm@rt Reseller
Lisa M. Bowman, ZDNN

The surprise is that the virus, "Melissa" ("W97m/Melissa"), is actually no hoax. In my opinion, it's an inspired Word template macro virus ... with an very clever payload.

Last Friday, March 26, 1999, Network Associates Inc. (formerly McAfee Associates) informed MSNBC, ZDNET, and other media outlets of an e-mail attachment virus which was attaching Microsoft, Intel, and various other un-named corporations. Allegedly, Microsoft shut off its mail servers to prevent a complete "denial of service" shut down of their Exchange servers, and to halt further spread of the virus. Waggener Edstrom, Microsoft's PR firm, also experienced problems.

Trend Micro and Symantec also jumped into the fray, confirming that numerous contacts had been experiencing overloads of Exchange mail servers.

Email virus spreading rapidly
March 26, 1999, 5:20 PM PT

"We've been swamped all day with customers calling in with this," said Dan Schrader, director of product marketing at Trend Micro. "It's spreading extremely quickly. Twenty major corporate sites have called us."

... Network Associates estimated the virus has already hit hundreds of thousands of computers.

By Stephen Shankland, staff writer,
CNET News.com

By Saturday, March 27, CERT (Carnegie Mellon's Department of Defense-funded computer security team, the Computer Emergency Response Team) had identified the virus, and developed a fix. CERT issued an advisory about the virus, only the second advisory the team has issued for a virus since it was founded ten years ago.

Experts at Carnegie Mellon University warn of new computer virus
March 27, 1999 4:58 PM EST

CERT first heard of the virus Friday afternoon and its members worked through the night to analyze the virus and develop a fix, CERT manager Katherine Fithen said.

"We're getting so many reports from across the world, that we know this is going to be a huge problem come Monday," Fithen said.

The Associated Press, on CNN.com

Katherine Fithen couldn't confirm in her interview if she knew of government sites that had been hit. No problem! The Department of Energy's CIAC bulletin about "Melissa" on Saturday openly acknowledged that several DOE sites had detected the virus on their systems. "A new Word 97 macro virus named W97M.Melissa has been detected at multiple DOE sites and is known to be spreading widely."

CIAC Information Bulletin
J-037: W97M.Melissa Word Macro Virus

March 27,1999 9:00 AM PT

Risk of infection is high. This virus is spreading widely within and without of the DOE complex. The risk of damage to your system is low because most users do not have macros in files and would be alerted by Word's macro detector. The risk of lost productivity and lost mail messages is high as mail servers may have to be shut down and purged of infected mail messages.

Where do you want to go today?

As documented in the CERT and CIAC alerts, "Melissa" isn't a vicious virus. In fact, other than it's highly unusual "payload," it's not nearly as destructive as other file attachment macro viruses and Trojan programs.

What may not be made startingly clear in the frantic news reports, is that "Melissa" ONLY works in Word 97 or 2000. Systems WITHOUT Outlook may still be infected, but cannot automagically send the virus. "Melissa" doesn't exploit any new vulnerabilities.

In fact, according to Stephen Shankland's article on CNET, "Melissa" is not unlike a buggy little virus called "Share Fun" that emerged in 1997.

Alas, "Melissa" is far from buggy. Though Microsoft identified the security vulnerability in Word attachments sent via e-mail several months ago, apparently many sites have not implemented the free Word 97 Template Security Patch, WD97SP.EXE.

This is what has allowed Melissa to run rampant among corporate sites that depend on the combination of Word, Outlook and Exchange servers.

Based on a day's worth of crash course research, here's my summary of "Melissa's" modus operandi.

The user receives an e-mail,usually from a known contact:

SUBJ: Important Message From...

Here is that document you asked for ... don't show anyone else ;-)

The subject line, "Important message from..." ends with the sender's name. Pretty convincing, eh?

The attached Word file, LIST.DOC in most instances, contains a list of pornographic Web sites, and the "Melissa" macro code. The macro attaches its Visual Basic for Applications (VBA) module to the NORMAL.DOT template, and then blocks access to Word's Tools | Macro toolbar [source: CIAC, Woody's Office Watch newsletter].

It then disables some Word settings that can further interfere with macro viruses, "Confirm conversions at open," "Macro virus protection," and "Prompt to save Normal template" [source: CIAC].

Now active on the system, "Melissa" searches the Registry for a key indicating that "Melissa" has visited before. Finding none, it adds one,


with the value

"... by Kwyjibo."

The macro then ascertains the user's name from Application.UserName, which users enter into Word's profile, and creates an e-mail message addressed to the first 50 contacts listed in the user's Outlook address book (NOT Outlook Express). With this information, it sends a copy of the message, now identified as "Important message from {Application.UserName}," with the Word document attached.

A scary note from Woody's Office Watch newsletter (echoed in the CIAC bulletin): "Melissa" sends itself to 50 contacts from EACH of the address and contact lists you have access to in Outlook. Translation: your infection could result in 50, or 100, or 150, or 200 messages leaving with your name as the sender, depending on your Exchange server configuration. Eek!

Finally, it infects NORMAL.DOT by attaching itself to either the Document_Open or Document_Close commands, so that it can infect every Word document that a user works on subsequently.

Bonus payload: if the user happens to have a Word document open at a time when the minutes are equivalent to the date (say, 9:01 on April 1), it will copy a Bart Simpson quote into the file: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Cute, eh?

Points to be determined later:

  • At this date, Outlook Express and other mail readers ARE NOT VULNERABLE [Source: CIAC].
  • User intervention is REQUIRED, namely by opening the Word attachment. Some mail programs may be configured to automatically open attachments. This would be BAD.
  • Though this virus is spread primarily via e-mail, an infected Word file may be transported by any other means (floppy, FTP, CD-ROM, Web site, etc.). The virus is just as likely to infect and send itself out via Outlook from a file acquired by means other than e-mail.
  • It hasn't been specified what danger exists for users of Word 98 for Macintosh, since Macs don't have a Registry consistent with Winows. It may be that Mac users can harbor the virus in infected Word documents.

  • "It's an e-mail virus! It's a worm!"
    No ... it's a SPAM 'BOT.

    "Security experts" are debating whether "Melissa" is a new, horribly fiendish macro virus, or a very clever network worm. (Antivirus developers always have a stable full of "experts" whom they wind up like so many Chatty Cathy's for an appreciative audience of reporters.) Again, see my previous column, Remote Explorer of My Eye for a discussion of Internet worms.

    Apparently even the macro's author was conscious of this issue; the macro contains these gleeful comments in its VBA code:

    'WORD/Melissa written by Kwyjibo
    'Works in both Word 2000 and Word 97
    'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
    'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

    By Sunday, I was engaging in a playful argument with two gentlemen far more qualified than I to analyze virus alerts, Rob Rosenberger (webmaster of the Computer Virus Myths home page) and George Smith (editor of The Crypt Newsletter, and author of The Virus Creation Labs). Between us, we've discussed whether this is possibly the work of a spammer promoting a series of adult Web sites ... or a if the URLs are simply "sucker bait," inserted to entice users to open the document, and perhaps manually redistribute it to friends.

    This last point gave me an idea.

    Like a worm, this virus has had such success at some sites, that mail servers have been experiencing very real "denial of service" crises. Unlike a worm, the virus doesn't communicate with other "segments" on connected computers or servers.

    Nor is this another "e-mail virus" that "Good Times-style" hoaxes purport to warn us about -- with a very few exceptions, you still can't get a virus just by reading a message. "Melissa" does not represent a major breakthrough in virus authoring.

    But IT DOES represent a marvelous evolution in the realm of chain e-mail and "Forwardables." As I discuss in my "e-v-mail" page, "Forwardables" are messages that rely on the USER'S faulty sense of skepticism, and inclination to send the e-mail to as many people as possible. But until now, manual intervention has always been required, in the form of a user falling victim to the embedded "thought virus" and clicking a FORWARD button.

    This is clearly not the case with "Melissa." Once the Word file has been opened, the chain e-mail, or "spam," is sent from the user's computer without any manual intervention.

    ... "Melissa" may well be the first heuristic, autonomic, self-regenerating SPAM 'BOT.

    "Open the pod bay doors, please, Hal."

    In more ways than one, "Melissa" reminds me of the HAL-9000 super-computer in Stanley Kubrick's masterpiece, 2001: a space odyssey. HAL, as you may recall, was caught in a deception by the Discovery's mission commander, Dave Bowman, during an informal chat. Reacting quickly, HAL fabricated a false warning about a component of the ship's communications system failing within 72 hours ... unless the ship's crew conducted an EVA to retrieve and replace the AE-35 unit. When they did so, and found nothing wrong with it, they considered HAL at fault.

    During a subsequent repair attempt, HAL murdered Frank Poole (the ship's second in command), shut down the life support systems of three hibernating survey team members, and trapped Bowman outside the ship. All while professing unrepentent devotion to the true mission of the Discovery, which HAL had been ordered to keep secret from the crew.

    Like Dr. Heywood Floyd's fountain pen floating inside the Space Clipper cabin, and the nuclear satellites orbiting the earth outside, HAL was a symbolic heir to the lethal bone that Moonwatcher hurled to the heavens after killing a rival man-ape. Like that bone (and the pen, and the bombs), HAL was an artifact which carried out man's desires to acquire and protect resources, information.

    Like HAL, "Melissa" seeks out secret information and protected resources, and then carries out its own ironic agenda.

    Unsolicited commercial e-mail, or e-j-mail (as I called it almost three years ago) is a deception that plays on irony. I receive e-j-mail daily, almost hourly, and I have yet to receive a message which is entirely candid about its origin and purpose. Generally, e-j-mail arrives missives like "This is in response to your inquiry," or "You are on this list because you expressed interest...." Rarely are the mail headers in e-j-mail accurate. I'm sure that "Melissa's" LIST.DOC is no different from dozens of other underwhelming adult "spams" that I receive regularly.

    "Melissa" goes further than most e-j-mail, by removing any human intervention in its mission to deliver its payload to as many users as possible. It also spoofs the identity of the person who's been infected. As a "spam 'bot," it is almost ideally suited to its purpose -- if its true purpose is to only promote the sites listed in LIST.DOC,... which is doubtful.

    George Smith cautioned me that the porn URLs may only be "sucker bait" to entice users to open the document. This is an old trick, a device to deliver the virus. In such cases, the propagation of the virus is the ultimate goal. I concur. "Melissa" may be a "dry run" before a truly malicious version is unleashed. (Already, a copy-cat version called "Papa" has been reported.)

    Like HAL-9000 in the film, "Melissa" is a tool created by man, now self-reliant and proceeding on its own. Like HAL, it carries out its mission without supervision, with selfless abandon, completely independent of its creator. The author's intentions are, at the moment, a complete mystery.

    Like HAL, "Melissa" cannot be reasoned with. Only "disconnected."

    Protecting Yourself:
    -- From "Melissa"
    -- From Antiviral Hysteria

    Taking the podium and making an arrogant prediction,... I have no doubt that various "Melissa" warnings will mutate into reconstituted versions of "Good Times." No doubt.

    Mind you, it's not a matter of "who," or a matter of "how." Only a matter of "when." Last Friday, I received a warning about the "Happy99" file attachment ... a warning which fudged the details, and warned against opening the e-mail itself. I believe that the same will happen to "Melissa" before the week is out. By this morning, for example, CNN correspondents had been confusing technical details of "Melissa's" M.O. and warning readers who find the telltale e-mail, "don't open it."

    In the meantime, here are my first, best suggestions for anyone who is wary of "Melissa." Like all preventative cures, these steps require effort. They're worth it, trust me.

    1. If you receive an e-mail message like that described above, DON'T open the attachment. (Well, duh.)

    2. Don't open Word attachments and enable macros. Enable "Macro Virus Protection" (see below) and click DISABLE MACROS when you open Word attachments.

    3. As always, treat all suspicious file attachments with caution. When in doubt, delete it, and ask the sender what it was.

    4. Please resist the impulse to send out your own warning about this. The news is being spread just fine, thank you. Share the link to this page instead. (Don't worry about me, I can handle the bandwidth.)

    5. Several antivirus vendors have already posted vaccines and recipes for protecting yourself from "Melissa." Please review their sites. Again, share the links.

    6. If you're concerned about Word Template Macro viruses, download and install Microsoft's security patch on all your systems:

      • Review Microsoft's WD97SP.EXE page.
      • Install the Office 97 Service Release 2 (SR-2), if you haven't.
      • Install the security patch.
      • In Word, ensure that the Tools | Options | General | Macro virus protection setting is CHECKED. When you open a suspicious document, you'll be prompted about macros; click the DISABLE MACROS button.

    7. Follow the CIAC's recipe for protecting Word's main template, NORMAL.DOT, from insidious macros:

      To password protect the Normal.dot file in Word 97, perform these steps:

      1. Start Word.
      2. Choose the Tools, Macro, Visual Basic Editor command.
      3. In the Project window of the Visual Basic Editor, click on Normal.
      4. Choose the Tools, Normal Properties command, Protection tab.
      5. Check the Lock Project for Viewing check box and type in a password twice.
      6. Close the dialog box, close the Visual Basic editor.
      7. Quit Word.

      The next time you start Word, the normal.dot template will be protected.

      WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it.

    8. If you've made it this far, still paranoid, try my very cool method to protect yourself from unleashing Word macro viruses from Outlook e-mail messages. That's right, folks, open Word documents, in Outlook, with total confidence! Read on....
    9. Remap the default action for Word documents to Word 97 Viewer (tested in Windows NT):

      1. Download Microsoft's Word 97 viewer for Windows 95, 98 and NT. This freeware utility displays and prints Word documents WITHOUT running any macros.
      2. Install the Word 97 Viewer. If you already have Word 97 installed, Setup will warn you that making the viewer the DEFAULT application for Word files will interfere with your ability to use Word as your e-mail editor (WordMail). Select the option to open Word files in Word by default. Complete the Word Viewer installation.
      3. In Explorer, open the Options | File Types tab.
      4. Locate the "Microsoft Word Document" registered file type.
      5. Here's where you'll need to exercise due care. Click the EDIT button.
      6. You will probably see the "Open" command in bold, indicating that it is the default action. Identify the "WordView" command. Highlight that command, and click the SET DEFAULT button. Click OKAY as necessary to complete your changes.
      7. Now, when you right-click on a Word file, "Open" is not the default action. Opening the file in the Word 97 Viewer is. Select Open manually to edit Word files.
      8. In Outlook 98, double-clicking (or opening) a Word file in an e-mail message will launch the file in the Word 97 viewer, not Word.

    10. In most normal contexts (say, double-clicking a Word file in Explorer), you can hold down the SHIFT key to stop any macros from running. This also works when you're creating a new document from a template. Just keep holding the SHIFT key down until the document displays.

      For some modicum of protection opening files with Word, you can modify the "Open" command to prevent running the usual "auto macros." Since some Word macro viruses (mind you, not all of them) will run themselves within one of the automatic macros (AutoExec, AutoNew, AutoOpen, AutoClose, AutoExit), you can open documents and avoid any functions that are associated with the macros.

      Again, a certain level of Windows expertise and caution is required to implement this hack.

      1. Follow the steps above for remapping Word files to the Word 97 Viewer, up to Step 8.E.

      2. Identify the "Open" command in bold, and click the EDIT button.

      3. You should see the following text:

        "C:\Program Files\Microsoft Office\Office\winword.exe" /n

      4. Add the switch /m to this line so that it reads

        "C:\Program Files\Microsoft Office\Office\winword.exe" /n /m

      For more information on preventing automatic macros from running, ask the annoyware Word Assistant "Control what happens when you start Microsoft Word?", or seach in the Visual Basic help for the topic "Auto Macros."

    In closing, I'd like to ask you once more NOT to take it upon yourself to warn all your friends about "Melissa." If someone you know WARNS YOU, send them a link to one of the antivirus sites, above, or the link to this page. Also, read my "e-v-mail" page, and consider sending Aaron Lynch's CC: Contagion Correction e-mail as a reply.

    Page 1, 2 | Next Page»

© Copyright 1999 D.B. Spalding/Korova Multimedia. All rights reserved.







What's new?