Word's Melissa virus is 20 years old - what's changed?

One of the first major Word viruses, the Melissa virus, is 20 years old.   It’s amazing to see how much and how little has changed over two decades.  Office viruses today follow much the same pattern as they did back in the 20th Century.

Melissa was a Word macro virus which infected computers then spread itself by emailing copies to people or groups in the Outlook contacts list.  The email appeared to come the infected user with the SUBJECT: Important Message From <then inserts your name, from Word’s settings) and BODY: Here is that document you asked for … don’t show anyone else ;-).

Word 97 and Word 2000 (then in public testing) were affected. The infected emails went out right under people’s noses.

The core normal.dot template got infected with Melissa. Any documents sent out would include the virus, helping it spread even more quickly.

The virus spread very quickly because there weren’t many (or any) anti-virus checks on email and people weren’t as cautious as (we hope) people are now.

Melissa’s damage was to email systems. The virus spread so quickly that email servers would overload and crash or slow legitimate emails to a crawl.  Not just the messages from the virus itself but all the follow up emails (“Ignore that message” “I’m sorry” etc)

Melissa source code

Even Microsoft itself was infected with copies of Melissa spreading quickly to ‘softies all over the world.  They weren’t the only company affected; Intel had trouble too.  The clean up bill gets estimated at anything from $80 million to over a billion dollars.

Modesty forbids …

Our Editor-in-Chief, Peter Deegan wrote award winning coverage on the Melissa virus for ZDnet with help from Claude Almer and Phil Young (All three can’t believe that twenty years have passed). Also Vesselin Bontchev and Nick FitzGerald provided timely and accurate info.

“The Not So Lovely Melissa” explained what the virus did and did not do including how to protect yourself, what to do if already infected and squashing rumors.

Peter’s article won a 1999 Computer Press Association award with the judges saying:

“Clearly written, step-by-step guide for dealing with the Melissa virus. Clearly organized and easy to understand. This was a very competitive category, but this entry outclasses the others because it was produced on a tight deadline and responds so clearly to pressing questions that many computer users had that week. “

The best computer virus defense is you

Some quotes from Peter’s 1999 article still apply in 2019.

“Before opening ANY email attachment you should check it for nasties.  That means ANY attachment from ANYONE”

In other words, the best protection is your own suspicion of any incoming files.  Today’s automated scanning and protections are great but no replacement for native caution.

“For ALL attachments …, scan them for viruses before opening.  “

Windows now has Windows Defender which automatically checks all files as they arrive.  Back in the 20th Century people sometimes had to manually check each document.

What’s Different

Melissa used Word’s macro language to infect other documents and spread to other computers.  There was no trickery involved because Melissa used the direct documented commands in Office to do its dirty work.

In 2019, virus makers make use of security lapses in Windows and Office to get into a computer. They are backdoors into a computer rather than the ‘front door’ used by the Melissa virus.

Amateurs ruled

The FBI tracked down the Melissa virus author, David Lee Smith, a lone hacker who named the virus after a stripper.  Smith pleaded guilty, spent 20 months in jail and paid a $5k fine.

These days, Office viruses are professional operators not amateurs. Criminal gangs and ‘state operators’ create viruses to make money, target rivals or cause trouble generally for ‘enemies’.

Make your own virus

Now, anyone can buy a DIY kit to make your own Office viruses. Pay just $40 a month for a virus maker subscription!

Modern Office document formats

Old style Word documents (.doc) could contain macros and there was no direct way to know before opening.  We strongly urge NEVER opening .doc .xls .ppt or any of the old three letter Office extension.

Slow response

It took many days for companies to respond to the Melissa threat.  There were no real-time response systems in those days.

Slow updating

Microsoft eventually released a patch for Exchange Server to block Melissa infected messages.  There was no process to quickly update software back then.

Office 97/2000 didn’t have anti-virus protection at all, let alone a quick way to update Outlook or Word to block specific viruses.

Separate anti-virus software needed

In 1999 we were polite about Microsoft Office’s virus protection calling it ‘rudimentary’. Back then, Windows and Office had no proper anti-virus protection. What Microsoft called ‘virus protection’ was just a warning that a document contained macro code. No way to tell if the code was a virus or not.

Any sane computer user had to install separate anti-virus software from a bewildering range of suppliers.  Office Watch recommended everyone install anti-virus software.

Today, there’s no need to pay for antivirus software.  Windows Defender is part of Windows, is updated automatically and does a good job keeping nasties off computers. All incoming emails and documents are scanned in the background as they are saved.

Making money from viruses

The big change is the way companies, especially Microsoft, deal with computer viruses.

Instead of pretending they aren’t a problem (‘prank macros’), viruses are an opportunity to make money.

Upgrades to Office are sold partly based on increased anti-virus and security protection.  Even now, Microsoft is pushing people to move from Windows 7 and Office 2010 because security updates for those products will stop in 2020.

There’s also anti-virus software with annual fees sold to people scared of computer viruses.  Though Microsoft’s Windows Defender, free with Windows, is enough.

And they stay the same

It’s been twenty years, a new century and many changes in the online world.  But many things about Office security and virus infections haven’t changed.

No end to the security bugs in Windows or Office

Despite all the promises of improved security in Microsoft products, rarely a month goes by without some new bug being found and eventually patched in Windows or Office.

The terms ‘holes’ and ‘Swiss Cheese’ spring to mind.

Some of the bugs are complex and obscure. Others are embarrassing to Microsoft because they are simple and have been there for many years – unnoticed and unpatched.  The old Equation Editor in Office was a way to infect computers that Microsoft sent out with every Office installation for seventeen years.  That bug was so old that it seems Microsoft had lost the source code and had to binary hack the program itself.

Downplaying the risks

Microsoft’s denial and obfuscation about Office viruses hasn’t changed a lot over two decades.  When dealing with viruses, the company’s main aim is PR damage control.  Redmond doesn’t want to hurt sales of Office so their primary interest is in downplaying virus risks.

Back in the 20th Century downplaying virus risk went as far as calling viruses ‘prank macros’. ‘Prank Macros’ was Microsoft preferred term because it made viruses seem like a harmless jape.

Social Engineering

Widespread viruses work not just from technical trickery, the wording of the document and email is vital.

It’s now called ‘Social Engineering’.  Tricking people into opening an infected document or email.  Fake invoices, messages from your boss, email from a friend in trouble and many other tactics to get onto the computer.

Variations on a theme of Melissa

There wasn’t just one Melissa virus, it spawned many copycats.  The virus code was open, so anyone could see the programming at work.  Long time Office Watch friend Claude Almer dug into the Melissa code to see what it did and how it worked.

Other hackers went beyond curiosity.  They took the Melissa code, made some changes and released their own variations.  These mutations continued for months after the initial infection.

That still happens today.  A successful virus has many other versions later and those variants appear a lot faster than in 1999.

The difference is that there are systems in place to block viruses.  Windows Defender is updated automatically and regularly to detect new infections.

Rumors and false information

Looking back on the 1999 coverage of the Melissa virus one thing stood out more than anything – the false information and rumors.

Almost as soon as Melissa came out, there were all sorts of ‘fake news’ about it.  Some was genuine misunderstanding, but some others were what we’d now call trolling or deliberate mischief making.

Even these days we sometimes hear from people who’ve heard about ‘fixes’ like the AAAAAA address book hoax that persists to this day.