Classification

Category :

Malware

Type :

-

Aliases :

Melissa.W, Macro.Word97.Melissa.w, W2001MAC/Melissa.W-mm, Melissa.X, Mid/Melissa-X, ANNIV, ANNIV.DOC, W2001MAC/Melissa.W

Summary

Melissa.W is a version of one of the most widespread viruses in history, Melissa.A. The original Melissa spread around the world as an email chain letter in March 1999.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

After January 17th, 2001, F-Secure started receiving reports about a new version of Melissa, this time spreading in a file called Anniv.doc.

This version was named Melissa.W. It's not really a new version of the virus; the format of the infected file has changed. The file Anniv.doc is in Microsoft Word 2001 for Macintosh format. This is problematic, as several antivirus programs are still unable to handle this new file format, but the file and the virus is fully functional under both Macintosh and Windows versions of Microsoft Office.

By January 19th, we had received dozens of infection reports from various parts of the world, with the rate of infections increasing. It seems that this virus might become very widespread rapidly.

The only functional difference between Melissa.A and Melissa.W is that the W variant does not lower the macro security settings in Word 2000.

For full details on the Melissa virus, see the description of Melissa.A at https://www.F-Secure.com/v-descs/melissa.shtml

The worm sends email to addresses found from Microsoft Outlook address book.

The emails look like this:

From: (name of infected user)
 Subject: Important Message From (name of infected user)
 To: (50 names from address book) 		
 Here is that document you asked for ... don't show anyone else ;-)
 Attachment: Anniv.doc (the infected active document)

Do notice that Melissa.W can arrive in any document - the attachment does not necessarily have to be named Anniv.doc. The infected attachments might also contain confidential data from the infected computers.

email worms such as Melissa spread effectively, as users are likely to open a emails coming from someone they know.

You don't need to have Microsoft Outlook to receive the virus in email. However, the virus will not spread further from your machine via email unless you have Outlook installed.

Melissa will not work under Word 95 and will not spread further under Outlook Express. It can infect Windows 95, 98, Me, NT, 2000 and Macintosh users.