Case Study: Melissa.V In the spring of 1999, Dan, a worker in an upstate NY research and development lab called his computer repair tech to make an appointment. He needed to bring his machine in because it had started acting funny a few days earlier. When pressed about the symptoms Dan mentioned his computer running extremely slow, especially when he first booted it up and tried to check his email. He also mentioned that he was having trouble with some of his Microsoft Office documents. Dan was on vacation for the week so he was able to get the repair tech to make a house call that same day.

After an initial inspection the tech decided he needed to take the machine back to his shop for a closer look. That closer look revealed the computer had been infected with the now famous "Melissa" virus, also known as W97M. This virus, originally created by New Jersey resident David L. Smith, was not intended to be malicious. However, it spread so rapidly it caused entire email systems to be overrun and shutdown. Malicious variants of Melissa were created soon after and it was the variant Melissa.V that Dan's computer had contracted.

Melissa's attack begins as an infected Microsoft Office file that takes advantage of the interoperability of Microsoft software. It copies itself to various files on the infected machine, then emails itself to entries found in address books on the machine with an attachment bearing the Microsoft .doc extension. Originally, Smith's attachment was passed off as a list of names and passwords to get access to pornographic websites. Once a machine became infected Melissa could send out any Office file as the attachment, so in just a few hours every .doc attachment was suspect.

In addition to reproducing and emailing itself, Melissa can also modify the infected Office documents in a variety of ways including data corruption, replacing the current data with something completely unrelated, damaging macros or adding its own, even harvesting data found in some documents. This is was Dan's experience with the Office documents on his machine. Another variant, Melissa.U went so far as to change the properties of Windows system files and then delete them, rendering the machine un-bootable as soon as it was shut down. Fortunately Dan was not struck with this variant.

Removal of the virus needed to be done manually since Dan's antivirus vendor had not yet released an automatic removal tool. The technician first needed to isolate Melissa's original source file, usually found still residing in the email folders. That source file had to be deleted along with any copies it made of itself and placed elsewhere on the machine, but unfortunately no source file was found initially. Next, all documents had to be scanned and cleaned where possible, deleted when cleaning wasn't possible.

Finally, the tech had to clean the system registry and the Microsoft Office preferences. Melissa modified a registry entry that was originally produced by the operating system. This modification told the virus whether or not it had mailed itself out previously. Oddly enough, the author programmed Melissa to run the email only once. As for the Office preferences, Melissa disabled macro tools, macro virus protection, verification of template saving, and confirmation of document conversion. Disabling these options allowed the virus to modify documents without the knowledge of the user. All these features were turned back on as part of the removal process.

Once removal was complete and the computer returned, Dan and the tech needed to figure out where the infection came from in order to kill the source and prevent a second attack. The usual suspects were checked first; teenagers in the house who frequently exchanged files, unusual email attachments that had been opened, questionable websites that might have been visited. Yet all of these possibilities came up empty.

Dan mentioned he had been off work all week due to a mandatory facility furlough and was looking forward to returning in a couple of days. He had brought some work home with him the previous Friday so he wouldn't be behind after the furlough, but the computer being down prevented him from doing much work. As it tuned out, in his remarks Dan had revealed the source: the documents he'd brought home from work. The floppy disk was checked and there it was; a file Dan had received in his email and which he brought home and opened on his computer.

The lab where Dan worked had been infected, but due to the week-long furlough it hadn't been able to do significant damage to the system. A call was placed to the lab's IT department who went in immediately and cleaned all the computers. When the doors opened the following Monday it was business as usual, thanks to a dedicated employee and a repair tech who knew what he was doing.

ZSecurity detects and cleans thousands of computer viruses, including Melissa and it variants. Make sure your program is updated and running at all times.