New Variant of the Melissa Virus
Redmond, Wash., May 27, 2000
This destructive variant of the Melissa.U virus attempts to delete critical system and user data files rendering an infected computer unusable. It also attempts to automatically replicate to all available recipients in the infected user's address book. Most anti-virus software vendors have released updates in the last 24-48 hours.
Microsoft has been notified of a new variant of the Melissa.U virus. This new variant is detected by most anti-virus software products, but only if users have downloaded updated signature files. Email messages with the infected Word document attachment, called "Explorer.doc," will arrive with the subject line "Resume – Janet Simons." The text of the message reads:
"To: Director of Sales/Marketing,Infection occurs when a user opens the infected Word document and chooses to "Enable Macros" or already has macro security set to Low (Word 2000) or disabled (Word 97) in which case the macro is run automatically. It is important to note that the default Word 2000 macro security setting is "High" which silently disables unsigned macros like this Melissa.U variant. By default Word 97 always prompts the user before enabling potentially dangerous macros.
Attached is my resume with a list of references contained within.
Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.
Upon opening the attachment, the virus tries to send itself to all entries in the user’s address book. Upon closing the attachment, the virus begins deleting critical system and data files both on the local hard drive as well as on available network drives.
Please see the following references for more information related to this issue:
Network Associates Website: http://vil.nai.com/villib/dispvirus.asp?virus_k=98661
Symantec Website: http://www.symantec.com/avcenter/venc/data/w97m.melissa.bg.html
For additional general virus information see:
ICSA's Anti-Virus Product Developer’s Website: http://www.icsa.net/html/communities/antivirus/index.shtml Recommendation
Microsoft recommends customers take the following precautions:
Immediately delete any email message with the subject line beginning with "Resume – Janet Simons" System administrators can strip any attachments called "Explorer.doc" from inbound or outbound email or filter messages by the subject line, at the server or firewall, or firewall antivirus scanner level.
Ensure that Word 2000 macro security setting is "High" (default) or Word 97 Macro Virus Protection is enabled
Users should always "Disable Macros" if given a choice
Don't make yourself vulnerable to this or other viruses by opening an attachment unless you know what it is and who it is coming from. In the case of a worm like this one, be very aware of the subject line and content of the message, as it may come from someone you know without their knowledge.
This document is for information purposes only. This virus alert pertains only to the virus identified herein and there can be no guarantee that there won't be other viruses present. Microsoft provides this document "AS-IS", and hereby disclaims all warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, or fitness for a particular purpose.