MELISSA MACRO VIRUS
I. Background: What is a computer virus?
Unlike a biological virus, a computer virus doesn’t have a physical body. In fact, it is a computer program, which can replicate itself in the computer’s memory, storage, or over a network. Also, unlike a biological virus, which can automatically spread its copy to a host body, a computer virus needs execution from the user. Like their biological counterparts, there are both dangerous and benign computer viruses. Viruses that are dangerous are programmed to damage programs, delete files or reformat the hard disk. On the other hand, rarely, there are some kinds of viruses that do not harm the computer but notify the users of their presence by presenting text, video, or audio messages. Since a computer virus is composed of instruction codes, its activities are completely controlled by the programmer who has programmed it. There are tens of thousands of viruses operating in general internet today and new ones are discovered everyday. Among them, Melissa virus has been known as one of the most influential viruses till now.
II. Melissa virus:
1. History: How was Melissa virus discovered?
Melissa virus was written by David L. Smith in Aberdeen Township, New Jersey. The name “Melissa” was after a lap dancer the author encountered in Florida. The first Melissa infection case was reported on Friday morning, March 26, 1999. After this initial discovery, Melissa had spread all over the world within just hours, apparently spreading faster than any other virus before. As a result, many government and military agencies as well as multinational companies, including Microsoft and Intel, were overwhelmed by the virus. To respond to the public’s urge, the FBI launched the largest internet man-hunt ever. Finally, the author was arrested and sentenced to 10 years but served only 20 months in a federal prison and fined $5,000 USD.
What is Melissa virus?
Melissa is a macro virus. It spreads from users to users via email attachments. Candidates for infection are files that are macro-enabled documents in Word97 and later versions as well as Excel or any spreadsheet programs.
Originally, Melissa virus was posted in an on-line discussion group called alt.sex. The virus was kept inside a file called "LIST.DOC," which contained passwords that allowed access into 80 pornographic websites. When a user downloaded the file and opened it in Microsoft Word, the virus utilized Microsoft Outlook to e-mail the LIST.DOC file to the first 50 people listed in the user's address book. Since Melissa virus can only send its copies through e-mail by Outlook 98 and Outlook 2000 for Windows platforms, the virus does not send mass e-mail from a computer without the Outlook. The reason Melissa could easily propagate itself over the world in a short period of time was that most of the recipients were likely to open a document attachment as it usually came from someone they knew. Below is the pattern of an e-mail that contains Melissa virus
Instead of sending the LIST.DOC file, Melissa virus also may send out confidential information from the host computer without the user's notice. For example, a user sends an infected document A to his friend. His friend’s computer then will be affected. If this newly infected computer has MS Outlook, the virus will continue sending document A to other users whose addresses are in the address book. More seriously, this virus could cause a denial of service on mail servers.
Upon on entering the computer, Melissa spreads to the NORMAL.DOT document template. This is where Word stores all custom settings and default macros. By copying itself into NORMAL.DOT, Melissa ensures that the Word installation is infected and any documents or templates created will get the virus added. Moreover, the virus changes some MS Word settings, making it hidden from the user. Specifically, the "Macro virus protection," "Prompt to save Normal template," and "Confirm Conversion at Open" options are disabled. Finally, in the instance when the minutes of the current time match the date, for example at 4:26 P.M. on March 26, the virus will insert the Bart Simpson quotation, "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here" into a user's active document.
2. Current solutions:
What should the user do to prevent Melissa virus?
There are several ways that can avoid the user from being attacked by the virus:
a) The user should delete any e-mail that has the pattern described above
b) The user should disable macros in any product that contains a macro language, as this sort of problem is not limited to Microsoft Word. In Word97, the user can disable automatic macro execution by clicking on Tools/Options/General then turning on the 'Macro virus protection' checkbox. In Word2000, macro execution is controlled by a security level option (High, Medium, Low). In this case, the user should click on Tools/Macro/Security and choose High or Medium.
c) The user should configure his/her email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
d) The user should be aware of software that comes from the internet unless it has been scanned for viruses.
What should the user do if he/she is a victim?
The easiest way is using the anti-virus software. However, the software should be kept up to date with the latest definition files.
3. Future concerns:
Some systems rely solely on pattern matching to recognize the virus. For an instant or short period of time, such a method can be quick and effective. However, in the long term, it will fail as soon as the virus mutates. So far, some of the known Melissa virus’ offspring include Mad-cow, Papa and Syndicate. Melissa is relatively non-destructive and easily detected. However, its variants could be significantly more destructive or stealthy as hackers try to outdo each other.
Modern email programs, running on most current computers, can display much more than just plain text documents. Some programs can display colored backgrounds, graphics and special text fonts. To achieve these functions, the email program must accept and run little programs embedded within the email. This may create dangerous opportunities for Melissa’s variants to attack the system.
It has been reported that Melissa virus was spreading as RTF files but files that were true RTF format did not contain macros. Since macros are not in true RTF files, anti-virus scanning tools do not scan the files for macro viruses by default. This has been taken advantage of by simply renaming a Word document containing the Melissa macro virus to end in the .RTF extension.
Link: http://en.wikipedia.org/wiki/Macro_virus_(computing)
http://www.pspl.com/virus_info/w97m/melissa.htm http://support.microsoft.com/kb/q224567/