Original publication date: May 24, 1999

<OL>

<b> 
<LI>Can Melissa spread through .RTF (Rich-text format) files? </LI>
</b> 

<P>We received reports on May 24, 1999 that the Melissa virus is
spreading as RTF files.  Files that are true RTF format do not contain
macros.  Because macros are not in true RTF files anti-virus scanning
tools do not scan the files for macro viruses by default.  This is
being taken advantage of by simply renaming a Word document containing
the Melissa macro virus to end in the .RTF extension.
</P>

<b>
<LI>How many reports have we received? </LI>
</b> 
<P>We have first-hand reports of more than 300 organizations affected, covering 
more than 100,000 individual hosts. </P>
<B> 
<LI>Is the damage limited only to denial-of-service? </LI>
</B> 
<P>No. Under some circumstances, confidential documents can be leaked without the 
user's knowledge. These circumstances include the use of a single template file 
by more than one user, and the transmission of an infected document to another 
user who has not previously been infected. Additionally, if you fail to clean 
up the virus correctly and completely (for example, by not cleaning the normal.dot 
file) you may expose confidential information at a later time. </P>
<B> 
<LI>What about Papa, and other variants? </LI>
</B> 
<P>We have received reports of other variants of Melissa, including one named 
Papa. At the present time, we have not received a significant number of reports 
of Papa outbreaks. If you practice antivirus precautions on a regular basis, you 
can protect yourself against Papa and other variants of Melissa. </P>
<B> 
<LI>Are Macro viruses new? </LI>
</B> 
<P>No. According to the Department of Energy's Computer Incident Advisory Capability 
(CIAC), macro viruses for Microsoft Word appeared as early as 1995, with over 
1000 variants for Word and other products by 1998. See <a href="http://www.ciac.org/ciac/bulletins/i-023.shtml">http://www.ciac.org/ciac/bulletins/i-023.shtml</a> 
for more information. </P>
<B> 
<LI>Why was Melissa so serious? </LI>
</B> 
<P>Melissa was different from other macro viruses because of the speed at which 
it spread. The first confirmed reports of Melissa were received on Friday, March 
26, 1999. By Monday, March 29, it had reached more than 100,000 computers. Some 
sites had to take their mail systems off-line. One site reported receiving 32,000 
copies of mail messages containing Melissa on their systems within 45 minutes. 
</P>
<B> 
<LI>Are Macro viruses limited to Microsoft Word? </LI>
</B> 
<P>No. Macro viruses can affect other products, including other products from 
Microsoft such as Excel and Powerpoint. The Papa virus, for instance, is reported 
to be spread via Excel. </P>
<B> 
<LI>Is Melissa a worm? </LI>
</B> 
<P>Melissa requires user interaction to propagate, therefore we do not consider 
it a worm. However, Melissa can propagate quickly from one computer to another 
with minimal interaction required by the user. </P>
<B> 
<LI>Does the Melissa virus affect MacOS? </LI>
</B> 
<P>The Melissa virus can infect files stored on and shared with MacOS-based systems 
running Word 98. However, when the virus runs on MacOS systems, it is not able 
to send electronic mail, and its propagation will be slower on MacOS systems. 
</P>
<P>			</P>
<B> 
<LI>Can I protect myself by marking the normal.dot file read-only? </LI>
</B> 
<P>At best, marking the normal.dot file read only is a stop-gap protection. On 
Windows 98/95 systems and on MacOS, viruses can circumvent the read-only protection. 
Instead, we recommend setting Word to prompt the user before making any changes 
to the normal.dot file if you are concerned about changes to that file. </P>
<B> 
<LI>How can I protect myself against variants of Melissa? </LI>
</B> 
<P>Disable macros by default. Use caution when operating any product when macros 
are enabled. Keep your antivirus products up-to-date. Be leery of unsolicited 
documents or executable programs received in electronic mail. Beware of software 
that comes from untrusted sources. </P>
<B> 
<LI>Who wrote Melissa? Why was Melissa written? What crimes has the author committed? 
What is the status of the investigation? </LI>
</B> 

<P>The CERT Coordination Center is a technical organization. We concentrate on
the technical aspects of computer security problems. We have no legal
authority and we do not "catch the bad guys."</P>


<B> 
<LI>Can I be affected if I don't use Outlook? </LI>
</B> 
<P>If it is installed, Outlook is used by the virus to send mail. Otherwise, Melissa 
behaves like a normal virus: you can infect others by carelessly sharing files. 
</P>
<B> 
<LI>I use a mail package other than Outlook. Am I affected? </LI>
</B> 
<P>The mailer you use to read mail doesn't matter. The virus will use Outlook, 
if Outlook is installed, to send copies of itself. How you receive it doesn't 
matter. </P>
<B> 
<LI>How effective are systems that look at the subject of the mail message? </LI>
</B> 

<P>Systems that rely solely on pattern matching to recognize the virus can be
used as a stop gap measure to prevent the spread of a particular virus, but
will fail as soon as the virus mutates so that it no longer matches the
pattern. This can be very effective as a short-term fix, but will not provide
long-term protection.</P>

<B> 
<LI>Is Melissa the most dangerous virus possible? </LI>
</B> 
<P>Melissa was relatively non-destructive and easily detected. Variants could 
be significantly more destructive or stealthy. We strongly encourage you to be 
aware of the risks posed by viruses and other computer security concerns at all 
times. </P>
<B> 
<LI>Are you aware of the connection between the Melissa virus and the television 
show<I> The Simpsons</I>? </LI>
</B> 
<P>Yes.</P>
<b> 
<LI>What products are affected? </li>
</b> 
<p>Outlook 98 and Outlook 2000 for Windows platforms can be used to propagate 
the virus. Microsoft Word 97 and Word 2000 for Windows and Word 98 for Macintosh 
can be used by the virus to infect other documents. Earlier versions of Word, 
including Word 95, cannot be used to infect other documents, nor can Outlook Express 
on any platform be used to propagate the virus via email.</p>
<b><li>Why is it called Melissa? </li>
</b><p>It was named Melissa by the antivirus software vendors. </p>

<B><LI>Do you have to open the email attachment to be infected?</B></LI>

<P>Yes. To be affected by Melissa and other, similar macro viruses, you must
open the attachment and permit macros to run. You cannot be affected by
Melissa or similar viruses merely by receiving the email.</P>

<B><LI>If I receive the virus mailed to me by someone, should I notify
them?</B></LI>

<P>Yes. We encourage you to notify them. More information about dealing with
incidents can be found in our Incident Reporting Guidelines at</P>

<P><A
HREF="/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</A></P>

<B><LI>I am a novice user and know little about computer language. I read your
virus alert and tried to determine whether or not my Word macros were
disabled. I use Office 97, professional version, and did not find a way to
disable the macro function. However, under the menu options
"Tools/Options/General" I found a checked box that says "Macro virus
protection." Will this option provide adequate protection against the Melissa
macro virus and other, similar viruses?</B></LI>

<P>If this option is checked, Word will give you a warning any time you open a
document that has macros embedded in it. The warning will give you the
opportunity to prevent any macros from running.</P>

<B><LI>Are the Melissa macro virus and Happy99 the same thing?</B></LI>

<P>No. While Melissa is a macro virus, Happy99.exe is a Trojan horse program. For more information about Happy99.exe, please see Incident Note
IN-99-02 Happy99.exe Trojan Horse at</P>

<P><A HREF="/incident_notes/IN-99-02.html">http://www.cert.org/incident_notes/IN-99-02.html</A></P>

</OL>


<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>