-------------------------- W97M/MELISSA VIRUS WARNING -------------------------- Most warnings about viruses that spread via e-mail are hoaxes. This one, however, is not. We are bringing it to your attention because it poses a threat to the BCPL.NET mail server as well as to your personal PC. The following information is compiled from a number of reputable sources and is believed to be accurate. Sorry about the extreme length, but there is no way to describe this in fewer words. W97M/Melissa is a Word 97 Class Module Macro virus that can also activate under Word 2000. It was discovered on Friday, March 26, and is known to be spreading extremely rapidly. Because of the way it spreads (via e-mail) and the extreme speed with which it is spreading, it is swamping mail servers all over the Internet by filling up their hard disks and monopolizing all their available processor time. A number of mail servers are known to have crashed as a direct result. W97M/Melissa depends on the presense of Microsoft Outlook in order to spread from an infected computer, and Outlook is used primarily by business users on corporate networks, so the greatest impact is expected to be felt after the start of business on Monday, March 29. It is not unreasonable to expect e-mail delivery delays because of the extra load this will place on mail servers all over the Internet. Identifying W97M/Melissa ------------------------ W97M/Melissa spreads in the form of an e-mail file attachment usually (but not always) named "List.DOC". The message bearing the attachment always has the following identifying characteristics: From: (probably someone you know) To: (50 names from the sender's Outlook Address Book) Subject: Important Message From (name of sender) Message Text: Here is that document you asked for ... don't show anyone else ;-) The sender will probably be someone you know, but this DOES NOT mean he/she sent it to you intentionally. Chances are, he/she knows nothing about it. W97M/Melissa spreads itself automatically from infected PCs without the sender's knowledge. If you receive e-mail with a Subject line containing "Important Message From...", and if the message includes a file attachment, DO NOT open the attachment. DO NOT send it to anyone else. Delete the message and the attachment immediately. All publishers of virus detection software are providing updates to detect and eradicate W97M/Melissa. Check with the publisher of your virus detection software for details. How W97M/Melissa Works ---------------------- When the infected Word document is opened, the virus checks for a setting in the Windows Registry that tests whether the system has already been infected. If the system has not already been infected, the virus creates the following entry in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?"="... by Kwyjibo" If this key already exists the email redistribution process will not execute, but the virus will still infect any Word files opened subsequently. Note: As a preventive measure you can create this registry key to prevent the virus from launching. However we recommended this ONLY if you are familiar with the inner workings of the Windows Registry and are comfortable modifying it. BCPL.NET will not be responsible for damage you do by mucking about in the Registry! Once your computer has become infected, the following will happen: 1. Every Word document you open will become infected by W97M/Melissa. 2. If an infected document is opened when the day and the minute are the same numeric value (i.e. March 30 at 10:30) the following text is inserted into the document at the current cursor position: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." 3. If you have Microsoft Outlook, the virus creates an Outlook object using Visual Basic and reads the list of members from your Outlook Address Books. An email message is created and sent to the first 50 addresses in each of your address books, one at a time. The "From:" address, "Subject:", and message text are as described earlier. The active infected Word document is attached and the email is sent. The most prevalent document being seen is one called List.DOC, however this is NOT the only document that can be sent or received. Any infected Word document that is open at the time can be sent. 4. If you have Word 97, the "TOOLS/MACRO" menu option is disabled to prevent Word from detecting Macro virus activity. 5. If you have Office 2000, the virus checks for low security in Office by checking for a value in the the registry. If the value HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level" is not null, the virus will disable the "MACRO/SECURITY" menu option to prevent Word from detecting Macro virus activity. Macintosh Users --------------- It is unclear at present what effect, if any, W97M/Melissa has on a Macintosh. W97M/Melissa depends to a great extent on Windows Registry settings which are not applicable to the Mac. However, it is still possible that W97M/Melissa may infect your Word documents and that you may inadvertently spread the virus by sending infected documents as file attachments. We therefore recommend that you treat potentially infected e-mail exactly as recommended above for PC users. BCPL.NET INTERNET SERVICES CONTACTS: ----------------------------------- Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 FAX: 410-887-2091 Help Pages: http://www.bcpl.net/help.html (or enter "help" at the UNIX shell prompt) System News Archives: http://www.bcpl.net/sysnews.html (or enter "sysnews" at the UNIX shell prompt)