W97M/Melissa is a macro worm that spreads via e-mail and by infecting Word documents and templates. The worm has been designed to work in both, Office 97 (Word 8) and Office 2K (Word 9.0), and it uses Outlook to reach new targets through e-mail.
Infected documents carry the virus, residing in a class module called Melissa, in the function Document_Open() .
When an infected document is open, and the virus identifies the environment as Word 9.0, it removes the menu option 'Macro\Security' from the toolbar and enables all macros by directly modifying security settings in the registry:
To subkey: HKCU \Software\Microsoft\Office\9.0\Word\Security
Modifies value: "Level"
With data: 1
If the virus is running in Word 8, it removes the menu option 'Tools\Macro' from the toolbar, and disables the following three security related features:
- in-built macro protection;
- warning about modifications to the Normal template;
- format conversion confirmation.
Then the virus infects the Normal template. It checks if the first class module is not called Melissa, then it removes any code from that module, replacing it with the virus code. If the virus runs from an infected Normal template, the virus uses the same method to infect the active document.
Next, the worm attempts to send itself out as an e-mail attachment. Since the mailing process is triggered once per each infected machine, the virus checks for the presence of its marker in the registry by comparing the value:
against the string:
"... by Kwyjibo".
If the above match is not found, and Outlook is installed on the system, the virus checks the Outlook address lists and collects up to 50 e-mail addresses from each list. It constructs the following e-mails (one per list):
Subject: Important Message From <user name>
Message: Here is that document you asked for ... don’t show anyone else ;-)
Attachment: <currently open infected document>
After the mailing process is completed (or if the system doesn’t have Outlook installed) the virus sets the aforementioned marker (HKCU\Software\Microsoft\Office\Melissa? = "... by Kwyjibo") and moves on to infecting the Normal template.
Inserts text into documents
The virus checks the current time and date. If the number of minutes is equal to a day of a month, the virus inserts the following text into the open document:
"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
The virus code contains the following never-displayed comments:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
The author of the W97M/Melissa.A virus – David L. Smith, who released it on March 26th, 1999, was arrested on April 1st 1999. He admitted to writing the virus. Three years later, in 2002 he was sentenced to 20 months in jail.
Analysis by Jakub Kaminski