A macro virus
written in Visual Basic for Applications
which was attached
to a Microsoft Word document
attached to an e-mail message
in the last week of March
What the Virus Looks Like
The message has a subject line of "Important Message from X" where X is the name of the sender of the message. The message body has just the single line "Here is that document you asked for ... don't show anyone else ;-)", and by having so little text, entices people to open the attachment. In its initial form, the attachment is a list of pornographic web sites, but if a user ran Melissa while another document was open in Word, it is possible for that document to get sent instead.
In addition, copycat versions of the virus which use a different subject line, message body, and/or Word document attachment, but the same essential virus code have been seen, though none of these spread nearly as far and wide as the original.
How the Virus is Activated
Users who open the attached document in Word 97 or Word 2000 and enable macros when prompted (or who have "Macro Virus Protection" turned off) will unwittingly execute the virus as the document opens.
The Virus "Payload"
When Melissa runs, it does three main things.
- It installs itself on your computer, modifying a couple files and making registry entries, so that it will infect every Word document you produce.
- It turns off "Macro Virus Protection" so you won't realize something is wrong by seeing that enable/disable macros dialog box every time you open a document.
- When it first infects your computer, if you have any of the variants of Microsoft Outlook installed, it reads the first 50 addresses from the Address Book (or all of them, if there are less than 50) and mails itself to those people. In this sense, it is similar to the Internet Worm.
At a lot of companies, including my own, the default Address Book is a company-wide shared address book, and in some cases there is an "all employees" mailing list among the first 50 addresses, so it can easily replicate across an entire company, even one with far more than 50 employees.
Those occasional users who use their own address book as a primary address list then allow it to escape the company and go on to their friends elsewhere.
In some cases, the sheer volume of e-mails crashed mail servers, and in many cases the high mail load alerted admins quickly that something was going wrong.