Wired! Philippines




by: Shery Ma Belle Arrieta iamshery@msc.net.ph


The Beatles had Michelle; Bread had Aubrey; Toto had Lea; and Ritchie Valens had Donna. Sweet songs with sweet girls. And now more recently, Melissa. But unlike Michelle, Aubrey, Lea and Donna, Melissa isn't the title of a song nor even as sweet as her name sounds. She's deadlier than you think. To the cyberdudes/dudettes, Melissa is yet another scary macro virus to hit the Internet in recent times.

Watch out for Melissa!

Last March 26, the macro virus Melissa hit the Internet. Some thought the Melissa virus threat was yet another hoax but a couple of days after it hit, it was proven that she is indeed real. There weren't that many tell-all-your-friends-about-Melissa email warnings and this is probably one of the signs that the Melissa virus threat is real and unlike the other email hoaxes and scares that have circulated over the Internet.

According to a security alert from Microsoft, the Melissa virus is a Microsoft Word 97 or Word 2000 macro virus that is delivered via email in an attached Word document. The email contains the subject line "Important Message From "UserName." This email may contain the words, "Here is that document you asked for ... don't show anyone else ;-)" in the body of the message. If the attached Word document is opened and the macro virus is enabled or is allowed to run, then the virus propagates itself by sending email with the infected document to a number of people in your address book. The Melissa virus reads the list of addresses from Outlook's Global Address Book and then sends an email message to the first 50 recipients programmatically, one at a time.

About a week after Melissa hit and wreaked havoc in systems around the world, a 30-year-old computer professional suspected of creating the Melissa computer virus was arrested. David Smith of Eatontown, New Jersey was arrested after a lawyer for America Online tipped the police that the virus was traced back to an AOL account. Smith was released on $100,000.00 bail and faces arraignment in Newark, New Jersey. If Smith gets convicted, he could get up to 40 years in jail and a $480,000.00 fine.


The macro virus that is Melissa

A macro is a series of commands to perform some application-specific task. Macros are designed to make life easier. For example, you may use macros to perform some everyday tasks like text-formatting or spreadsheet calculations.

Macros can be saved as a series of keystrokes (the application records what keys you press); or they can be written in special macro languages (usually based on real programming languages like C and BASIC). Modern applications combine both approaches; and their advanced macro languages are as complex as general purpose programming languages.

When the macro language allows files to be modified, it becomes possible to create macros that copy themselves from one file to another. Such self-replicating macros are called macro viruses.

The Melissa virus is a macro virus: it is a virus that uses an application's own macro programming language to distribute themselves. Macro viruses are different from other viruses because they do not infect programs. They infect documents instead.

Most macro viruses are written for Microsoft’s Word for Windows and Excel for Windows. However there are also macro viruses for Lotus AmiPro (APM/Greenstripe); and there are also multipartite viruses which infect DOS executables as well as Word for Windows documents (Anarchy.6093, for example).


Macro viruses will work on any machine which runs Word for Windows or Excel for Windows - IBM PC, Macintosh and DEC Alpha computers. Moreover, these applications will run under different operating systems - Windows 3.x, Windows 95, Windows NT, MacOS and SoftWindows. And many macro viruses spread successfully on very different types of computers. They are application-specific -- all they need is Word for Windows or Excel for Windows.


A short trip down to the macro virus memory lane

Melissa is only one of the many macro viruses that have sprung up over the years. Like humans and any other living species, macro viruses evolve too.

Melissa's ancestor is traced back to December 1994 when a researcher named Joel McNamara wrote the first real macro virus. He wrote it for demonstration purposes. It was called DMV (Document Macro Virus). There were two viruses written: DMV for Word for Windows and DMV for Excel for Windows. The samples were used to demonstrate the possibility of macro viruses under these platforms.

The first ‘in the wild’ macro virus appeared in the summer of 1995. This virus (perhaps written by one of Microsoft’s employees) was the infamous WM/Concept. This became the most widespread virus ever. The comment within the body of the virus says ‘That's enough to prove my point’. After the appearance of WM/Concept, the world saw other macro viruses within a couple of months - WM/Nuclear, WM/Hot, WM/Colors and WM/Atom.

By the end of May 1997, there are already more than 1,800 macro viruses. On the average, five new macro viruses appear each day.


A day in the life of a macro virus

The life-cycle of the great majority of Word for Windows macro viruses starts of fwhen the macro virus in a document being loaded gets control. This is usually via auto macros or macros which are executed automatically at a specific time (such macros are AutoOpen, AutoClose, AutoExec and AutoExit). The corresponding macro then copies all viral macros to the global template (on your, this is the NORMAL.DOT). The global template (the template that is used automatically when you load Word for Windows) contains user settings (for example, fonts used), shortcuts (key re-definitions) and can contain macros. If NORMAL.DOT contains an AutoExec macro, it will be executed when Word for Windows is started. And if NORMAL.DOT contains AutoClose it will be executed every time any document is closed.

Macro viruses do not necessarily have to infect the global template. Some macro viruses infect files directly. These macro viruses search for a ‘victim’ on a disk and infect it. WM/Snickers and WM/Ordo use the so-called MRU list (the Most Recently Used list is located at the bottom of the ‘File’ menu and usually consists of four items) to get the names of files to infect. Others drop their own template into the Word for Windows template directory (the WM/Eraser family, for example) and avoid changing the global template.

Some macro viruses are wise -- they use stealth. This means that measures to prevent easy viewing of the virus are implemented by the virus. Some macro viruses remove the Tools | Macro and File | Templates | Organizer items while others present the user with artificial empty dialog-boxes instead of real ones (which list all the virus macro names) to conceal the presence of alien [virus] macros.

Macro viruses also mate. When different macro viruses meet on one system, they may ‘mate’ or reproduce. WordBasic copies macros by name; and if the virus macro has been substituted by another virus, the new macro will be copied instead of the original. Such ‘mated’ viruses do exist and they replicate without problem, using macros taken from other macro viruses.

Macro viruses can also take macros from a set of legitimate macros in NORMAL.DOT. For example, many known macro viruses are the result of ‘mating’ between the ScanProt macro (an anti-WM/Concept macro released by Microsoft) and a macro virus.


So who's immune to Melissa?

You should ask yourself, "How can I be infected by this Melissa virus?" There are actually two groups of people affected by the Melissa virus and they are:

    1. any one who uses Microsoft Word 97 or Word 2000 with Microsoft Outlook 97, 98 or 2000. Your copy
      of Microsoft Word as well as any of the subsequent Word documents you create can be infected by the
      Melissa virus. The virus can change your Word settings so that it will be easier for your computer to be
      infected by this and other future macro viruses. And it uses your copy of Outlook to email the
      Melissa-infected Word files to 50 of your friends.
    2. any one who uses Microsoft Word 97 or Word 2000 with any other email program. Although Melissa will
      not automatically redistribute itself to your friends through your email program (redistribution only happens
      if you have Microsoft Outlook installed on your computer) -- the virus can still infect your copy of Microsoft
      Word as well as any subsequent Word documents you may create, and it can also change your Word
      settings to make it easier for your computer to be infected by this and future macro viruses. Once your computer is infected with the Melissa virus, any subsequent Word file you create and then share with
      others -- via email, floppy disk, FTP, and so on -- will contain the Melissa virus.


Protecting your computer against Melissa

Well, if you read the stories about Melissa, you'd find out that most of it were just hype and exaggerated descriptions of the virus. If you know how to protect your system against viruses, you'll discover that Melissa isn't as deadly as you think. PC World has an excellent article on How to Protect Yourself Against Melissa.

The first step into protecting your computer from the Melissa virus and any other viruses is by updating your virus definitions. Major anti-virus software manufacturers released a virus update that recognizes and removes the Melissa virus. Norton from Symantec and McAfee are anti-virus software companies where you can read the info on the Melissa virus. If you don't currently use anti-virus software, it is highly recommended that you install an anti-virus program now - and check for updates each week.

The second step is if you launch Microsoft Word, turn on the macro virus protection. If you're using Word 97, go to TOOLS --> OPTIONS, then click on the "GENERAL" tab. The "MACRO VIRUS PROTECTION" at the bottom of the list should have a check.

If you're using Word 2000, double-click on the TOOLS menu, point to MACRO, then choose "SECURITY." You will have options on the level of security you want. Opt for a high security and only macros that have been signed are allowed to be opened. Unsigned macros will be disabled automatically. Choose for a medium security and a macro dialogue protection box will always appear so that you will be able to disable macros if you are unsure of the macros.

From that point onward, you should beware of all Microsoft Word files that contain macros, especially Word documents that are sent to you via email or even in a diskette. And NEVER double-click or launch ANY file, especially an email attachment until you first scan that file with your updated anti-virus program.


Melissa sightings

Along with the media hype on the Melissa virus, dozens of Melissa-related Web sites have sprung up like mushrooms overnight. If you want to read all the information about Melissa minus the exaggerations, there are two sites worth visiting: Woody's Office Watch and ZDNet's The Not So Lovely Melissa Virus .

Microsoft has a Melissa virus alert page at http://officeupdate.microsoft.com/articles/macroalert.htm so this is probably another good place for you to read all about the virus.

There are also several other sites you can visit if you'd like to read more information about Melissa: http://www.msnbc.com/news/253803.asp and http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .

You can read about the complete history of the Melissa virus as well as some remedies. You can visit
http://www.zdnet.com/zdnn/special/melissavirus.html , http://www.wired.com/news/news/technology/story/18790.html , and http://news.bbc.co.uk/hi/english/sci/tech/newsid_307000/307162.stm .



Articles in WIRED! Philippines are copyrighted by the authors.
WIRED! Philippines is a monthly online magazine published and hosted by KabayanCentral.com
Copyright 1999 KabayanCentral.com. All rights reserved.