Under the skin

A detailed look at Melissa demonstrates just how viruses in general get into a system, replicate, and deliver their payloads.

Source of Mischief: The source code of the Melissa e-mail virus breaks down into distinct functions [colored blocks]: the virus neutralizes defenses by turning off macro warning messages in Microsoft Word, transmits itself by e-mail to other computers, infects other Word documents edited on the affected system, and finally delivers its payload—a quote from "The Simpsons" TV show. Melissa will refrain from transmitting itself by e-mail if the target computer has already been infected and uses different code for handling different versions of Word. [Arrows indicate program flow.] Slight changes have been made to this source code to render it harmless.

Melissa targeted the Microsoft Office software suite, probably because of its widespread availability and its tight integration of such components as a word processor and an e-mail client.

Melissa's first appearance was on 26 March 1999 in the alt.sex newsgroup, lurking in a posted Microsoft Word document that contained a list of user names and passwords for a variety of pornographic Web sites.

The virus as in a macro called Document_Open, which, as the name suggests, is executed when the document is opened—if macros are permitted to run. Although given a pop-up warning by Microsoft Word against permitting macros to execute, users caught in the first wave were sufficiently intrigued by the content to ignore the warning—a perfect example of a Trojan attack.

The virus's first act was to disable the macro security tools. These tools allow users to block macros from running and receive warnings about the presence of macros in a document file.

As a worm might do, Melissa then opened the user's Microsoft Outlook e-mail address book and mailed the infected document, along with the virus, to the first 50 names in each address list. Cleverly, it also composed a subject line for these e-mails that read "Important Message From," followed by the infected user's name, also from Outlook. The body of the e-mail was set to "Here is that document you asked for...don't show anyone else." This convinced recipients that the document was from a trusted source, so they, too, ignored the initial warning against enabling macros.

Melissa then moved to its viral stage, attempting to infect other Word documents. First, it invaded Word's default template, copying itself into the Document_Close macro. The default template contains various settings used by Word when creating and editing documents.