REDMOND, Wash., March 30, 1999 — On Friday, March 26, Microsoft Corp. was made aware of a Word macro virus, dubbed
“Melissa,” that has since affected a number of PC users and companies. The macro functionality of Microsoft® Office applications provides a programming environment that allows customers and developers to extend the functionality of Office. However, malicious hackers have recently taken advantage of this macro functionality to create harmful viruses. As with all virus issues Microsoft takes this issue very seriously. And because of the widespread nature of the
“Melissa”
virus, Microsoft has taken steps to proactively notify its customers using e-mail and its Web site to alert them to this issue. Microsoft is actively working with the anti-virus community and other Internet security groups to educate customers on the situation and to help minimize the impact of this class of virus.
On Monday, March 29, a new variant of the
“Melissa”
virus was reported. This statement contains information on the new variant, dubbed
“Papa,”
and describes the steps users can take to ensure that neither the
“Papa”
nor the
“Melissa”
virus impacts them adversely. As is common with viruses, additional variants will likely emerge. However, in the case of any of these variants, the recommended protective precautions are identical to those previously recommended for the
“Melissa”
virus.
The
“Melissa”
virus is a Word 97 or 2000 macro virus delivered via e-mail in an attached Word document (for more information on the
“Melissa”
virus see http://officeupdate.microsoft.com/articles/macroalert.htm . The more recent
“Papa”
virus is a Microsoft Excel 97 or Excel 2000 macro virus delivered via e-mail in an attached Excel document. In the case of the
“Papa”
virus, the e-mail contains the subject line
“Fwd: Workbook from all.net and Fred Cohen”
and/or contains the message body
“Urgent info inside. Disregard macro warning.”
If the attached Excel document (named
“pass.xls” ) is opened and the macro is enabled (i.e., is allowed to run), the virus will be activated and it will attempt to propagate itself by sending e-mail with the infected document to a number of recipients. For the virus to send the infected e-mail to others, the Microsoft Outlook® , Outlook 98 or Outlook 2000 messaging and collaboration client must be on the user’s system and be set up with a working e-mail service. The
“Papa”
virus reads the list of e-mail addresses from the Outlook Address Book and attempts to send an e-mail message to the first 60 contacts automatically, without the user’s knowledge. In addition, the
“Papa”
virus may generate commands that result in significant network traffic congestion without the user’s knowledge.
Although the name of the attached, infected Excel document is
“pass.xls”
, this could be changed to any name (note: the subject line could be changed as well). The
“Papa”
virus does not appear to destroy data.
Microsoft Office applications including Microsoft Word and Microsoft Excel are designed to protect users from macro viruses including the
“Melissa”
and
“Papa”
viruses and any variants, provided the macro virus protection in these applications is turned on (which is the default setting). With the macro virus protection turned on, every time a user opens a document that contains macros, a dialog box appears and asks the user to choose whether to enable or disable included macros. Users should always disable macros when they are not certain of their purpose or functionality. By choosing to disable the macros, any macro viruses are prevented from running, preventing infection by the virus.
The virus is only activated if one of the following happens:
-
The attached document is opened and the macros are enabled
-
Macro virus protection has been previously disabled (this might have been deliberately set by the user, or it could be the result of a previously successful virus attack) and the attachment is opened
It should be noted that even if the message containing the virus is not opened, it could still infect others if it is forwarded. To minimize risk from this virus and to prevent spreading the virus further, users who receive e-mail with the above-mentioned attachment and/or subject line should delete it immediately without opening the message.
For more information on how to properly set Office macro virus protection or for more information on the
“Papa”
virus or any other reported variants of the
“Melissa”
virus, users should visit http://officeupdate.microsoft.com/articles/macroalert.htm .
For more information on anti-virus software that can help detect these viruses, users should visit http://www.cert.org/ or http://www.icsa.org/ .
Microsoft and Outlook are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
