Follow:

 

Virus:W97M/Melissa.A


W97M/Melissa is a macro worm that spreads via e-mail and by infecting Word documents and templates. The worm has been designed to work in both, Office 97 (Word 8) and Office 2K (Word 9.0), and it uses Outlook to reach new targets through e-mail.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 

Threat behavior

W97M/Melissa is a macro worm that spreads via e-mail and by infecting Word documents and templates. The worm has been designed to work in both, Office 97 (Word 8) and Office 2K (Word 9.0), and it uses Outlook to reach new targets through e-mail.
Spreads via…
File infection
Infected documents carry the virus, residing in a class module called Melissa, in the function Document_Open() .

When an infected document is open, and the virus identifies the environment as Word 9.0, it removes the menu option 'Macro\Security' from the toolbar and enables all macros by directly modifying security settings in the registry:

To subkey: HKCU \Software\Microsoft\Office\9.0\Word\Security
Modifies value: "Level"
With data: 1

If the virus is running in Word 8, it removes the menu option 'Tools\Macro' from the toolbar, and disables the following three security related features:
  • in-built macro protection;
  • warning about modifications to the Normal template;
  • format conversion confirmation.
 
Then the virus infects the Normal template. It checks if the first class module is not called Melissa, then it removes any code from that module, replacing it with the virus code. If the virus runs from an infected Normal template, the virus uses the same method to infect the active document.
 
Via e-mail
Next, the worm attempts to send itself out as an e-mail attachment. Since the mailing process is triggered once per each infected machine, the virus checks for the presence of its marker in the registry by comparing the value: 
HKCU\Software\Microsoft\Office\Melissa?
against the string:
"... by Kwyjibo".
If the above match is not found, and Outlook is installed on the system, the virus checks the Outlook address lists and collects up to 50 e-mail addresses from each list. It constructs the following e-mails (one per list):

Subject: Important Message From  <user name>
Message: Here is that document you asked for ... don’t show anyone else ;-)
Attachment: <currently open infected document>

After the mailing process is completed (or if the system doesn’t have Outlook installed)  the virus sets the aforementioned marker (HKCU\Software\Microsoft\Office\Melissa? =  "... by Kwyjibo") and moves on to infecting the Normal template.
Payload: date-based
Inserts text into documents
The virus checks the current time and date. If the number of minutes is equal to a day of a month, the virus inserts the following text into the open document:

"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
Addition Information
The virus code contains the following never-displayed comments:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

The author of the W97M/Melissa.A virus – David L. Smith, who released it on March 26th, 1999, was arrested on April 1st 1999. He admitted to writing the virus. Three years later, in 2002 he was sentenced to 20 months in jail.
 
Analysis by Jakub Kaminski

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
    To subkey: HKCU \Software\Microsoft\Office\9.0\Word\Security
    Modifies value: "Level"
    With data: 1

    To subkey: HKCU\Software\Microsoft\Office  
    Adds value: "Melissa?"
    With data: "... by Kwyjibo"
  • The display of the following message:
    "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 15, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases