Here is my analysis of how the virus works. The McAfee article aleph1 posted neglects to mention that it infects the active document and Normal.dot 1. Check for Word security controls and disable them: Word 2000 Macro.Security... = FALSE Word 97 Options.ConfirmConversions = 0 Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 2. See if machine is already infected Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by Kwyjibo" 3. If it wasn't already infected, go through the Outlook addressbook and send mail to the first 50 names Subject: Important Message From <Full Name> Body: Here is that document you asked for... don't show anyone else ;-) Attachment: itself, named "list.doc" After sending the mail, add the registry key to disable further infection. 4. Open the Active Document and Normal.dot and infect them with itself 5. On the way out, check if the current day equals the current minute. If so, print "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." It does not appear to do anything malicious other than shutting down your mail server with tons of mail as users start opening the attachment. It appears the virus vendors have a patch out now. To avoid infection, disable macros when opening any Word document or just don't open the attachment. Thanks to Josh Siegel for sending me the code. -Nate
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:26 PDT