Before, during and just after Easter, a lot of people and organizations were paid a visit by the computer virus Melissa. This virus propagated so quickly and extensively that many compared it to the legendary "Morris worm." The Morris worm wreaked havoc in 1988 on the Internet’s precursor, the ARPANET.

This document will sum up what really happened when Melissa made her debut as well as try to draw some conclusions based on her visit. The experiences we gained from Melissa may enable us to become better prepared the next time we encounter such a woman...

Some facts

Let me start with some technical facts: Melissa or W97M/Melissa.A, which is the precise name, is a macro virus. Macro viruses were seen "In-The-Wild" for the first time in 1995. Unlike the traditional viruses, which infect computer programs, macro viruses infect documents (including spreadsheets and presentations). Thus, macro viruses normally spread faster because it is more common to exchange documents between friends and colleagues. As of this writing, Norman’s virus control programs identify approximately 4,000 different macro virus signatures.

The Melissa virus in particular, infects documents that use Microsoft’s language to create macros in documents written in Word for Office 97 or the test version of Office 2000. The Melissa virus was first released when posted to a newsgroup on the Internet on Friday, March 26. It then propagated very quickly in e-mail attachments.

Symptoms of the Melissa virus include:

One receives an e-mail from a person with whom they have exchanged previous e-mails. The e-mail’s subject is Important Message From ’Name’ where ’Name’ is the full name of the sender. The body of the e-mail is the sentence Here is that document you asked for ... don’t show anyone else ;-). Attached to the e-mail is a document with addresses to some Internet sites with pornographic content as well as a user name and password to these sites. This document is infected with the Melissa virus. If the recipient opens the attachment using one of the versions of Word mentioned above, their computer will be infected.

The Melissa virus starts by disabling a macro security function in Word. It then checks the registry to see if it infected that computer earlier. If the PC has not been previously infected, Melissa starts the e-mail program Microsoft Outlook and sends an e-mail to the first 50 e-mail entries in the user’s global address book. This e-mail is sent only if Outlook is installed. If other e-mail clients are used, no such mail is sent.

The Melissa virus finishes by writing information in the registry which prevents the virus from being activated again on that computer. If the date and minute are identical, the virus will enter a short text in the active document.

Any new documents created after this will be infected with the Melissa virus.

When the 50 recipients receive the new e-mail, they have to decide what to do with it. This may result in new infections and an additional 50 e-mails sent from each recipient. As this continues, the virus propagates at an exponential rate.

Why was Melissa so special?

There are several aspects surrounding the Melissa virus which make it special and different from the traditional experiences with macro viruses. Some of these are beyond the actual infection itself and the damage which can occur from the infection.

The Melissa virus does not do anything particularly dangerous on the infected PC. As mentioned earlier, Melissa’s main action on the infected PC is to send an e-mail. This is something which users often do several times a day. It is the infrastructure which is the main victim of the Melissa virus. The heavy load on an organization’s local area network, the Internet, and in particular the involved mail servers are what suffer. There were reports stating that mail servers were overloaded due to too much mail. Some organizations chose to take their mail servers down until they were certain that the problem was under control, even though they had no reports of infections from the Melissa virus in the organization at that time.

Another aspect of the Melissa virus has to do with the virus control itself. In principle, virus control companies will always be on the defensive from the authors of new kinds of viruses. (One can hardly create protections against something which is not yet known.) Normally this is not a big problem. The virus control companies have mechanisms which ensure that they get information about new viruses very quickly, thus enabling the companies to update their virus signature files before the new viruses are spread widely. In the case of the Melissa virus however, the propagation happened much too quickly. Even though the producers of virus control products analyzed and updated the virus signature files after a short time, the Melissa virus had already become a significant issue.

The third aspect I would like to mention is of a more psychological nature. This has to do with the fact that the Melissa virus got an enormous amount of attention. For the first time ever the US "National Infrastructure Protection Center" (part of the FBI) warned about the Melissa virus during a special press conference. This was published on the Internet shortly thereafter, and all over the world one could hear and see the press conference. Magazines, Internet news and other media warned about the phenomenon as well. As often is the case in such circumstances, the press coverage was inaccurate. One may wonder whether this coverage contributed to more unnecessary fear than actual information about how to protect one’s self.

As we have seen, there are several elements that have to be present for the Melissa virus to be able to do any harm. However, the fear of the Melissa virus just before Easter was so huge that it went far beyond the group which actually had reason to be afraid. Consequently, virus control companies and other security experts got a lot of calls, e-mails and other attention. The result was that customers that were truly affected or in the danger zone got less attention than needed.

We may say that the environmental effects of "the evil Melissa virus" made it worse than it actually was.

Melissa’s younger brothers and sisters

A short time after the Melissa virus became a problem, the source code was posted on several Internet sites. As of this writing, there are more than ten macro viruses that more or less utilize the same technique as the Melissa virus. This, of course, did not lower the attention and fear of the virus.

However, several of the virus’s variants were not as dangerous as the Melissa virus itself. Some did not even function as intended. Unfortunately, this information did not reach the headlines, and the fear of being a victim of the Melissa virus family was still present, even for those who were already protected against the Melissa virus.

As we approached the end of April, more than a month after the Melissa virus was created, there is no longer much attention about the virus and it’s variants. The fact that a person suspected to be the one responsible was arrested and facing a possible prison sentence and substantial fine may have contributed to this decline.

What did we learn?

Let me, at this time, try to draw some general conclusions and see if we did learn something from the Melissa incident.

One aspect, which is more like a confirmation of what we already knew, is that new kinds of data virus will appear in the foreseeable future. By new kinds of viruses, I mean viruses that use other techniques than those previously known.

An example of a new kind of data virus even more dangerous than the Melissa family is the CIH virus. This virus caused severe damage on April 26, especially in Asia and some European countries. This is the first known virus which is able to damage hardware (BIOS) as well as overwriting the hard disk’s information.

The necessity to urge organizations and persons to use virus control programs that are constantly updated with new signature files, cannot be stressed enough!

Another conclusion which can be drawn is the importance of public information that is precise and correct. There is no doubt the Melissa virus propagated very quickly which caused severe problems for some, but it is certain that some people were afraid of being infected without due cause because the necessary elements for infection were not present. People were also afraid of the Melissa variants, some of which some did not even function. The anti-virus business has to look to its information regarding this matter too and inform our customers thoroughly.

The actions with respect to the Melissa virus shows the importance of planning for such situations. These plans have to be made before the problem arises. As I have shown in this document, it is easy to panic and overreact. Good action plans with clear directions on how to react are the best offense in the case of real threats to an organization’s information systems.

Another conclusion that should be drawn is that even though the Internet and related technologies represent great opportunities, they still present a new and vulnerable technology with some severe weaknesses. Organizations which rely on this technology to conduct crucial tasks should be concerned by the fact that one person can create a small program, which in a very short time, was responsible for large e-mail servers to be overloaded and that parts of the Internet’s capacity were affected.

In conclusion, it seems that some companies develop computer programs with emphasis on functionality while sacrificing security. Some programs are complicated and overloaded with functionality of which most users only use a small fraction. It is not obvious that this further functionality complies with the wishes and needs of the program users. Maybe these programs would be better with an increased focus on security.