General information about the "Melissa" Word macro virus that affects Word 2000, Outlook 2000, and Outlook 98

This article contains important information about the Word macro virus called "Melissa". The following topics are covered in this article:

• Whom can the virus affect?
• What is the "Melissa" macro virus?
• Will Word 2000 protect my computer from this and other macro viruses?
• How do I make sure the Word macro virus protection is turned on?
• How do I make sure that my computer will not be infected?
• What should I do if my computer has been infected by this virus, or I think it has been infected?
• What if I have more questions about macro viruses?

On March 26, 1999, Microsoft was made aware of a Word macro virus W97M/Melissa.A (dubbed "Melissa") that has affected a number of users and companies. As with all security issues, Microsoft takes this very seriously, and because of the widespread nature of this particular virus, Microsoft is taking steps to proactively notify our customers to help minimize its impact. By taking the necessary precautions, you can make sure that it does not affect your computer.

Whom can the virus affect?

This virus can affect people who are using Word with Outlook version 98 or version 2000. If you do not use this software, this particular virus does not affect your computer.

What is the "Melissa" macro virus?

It is a Word macro virus delivered through e-mail in an attached Word document. The e-mail message may contain the subject line "Important Message From "UserName" and it may also contain the message body "Here is that document you asked for ... don't show anyone else ;-)". If the attached Word document is opened and the macro virus is enabled (that is, it is permitted to run), it can propagate itself by sending e-mail with the infected document to a number of recipients. The virus reads the list of members from each Outlook Address Book and sends an e-mail message to the first 50 recipients programmatically.

The name of the original infected Word document is List.doc, but this could be changed to any name. After the virus has been enabled and permitted to run, it can infect your default template (Normal.dot). New documents are based on the Normal.dot template, so they too can become infected. In this scenario, you could create a new document, send or give the file to someone, and their computer could then become infected. The virus would then try to send your document (instead of the original infected List.doc file) out to 50 recipients from each Outlook Address Book.

This virus does not appear to destroy data. If the current day of the month equals the minute value of the current time, and the infected document is opened, the following text is inserted at the current insertion point position:

Will Word 2000 protect my computer from this and other macro viruses?

Yes. Word 2000 will protect you from macro viruses including this one, provided the High Security Level or Medium Security Level is enabled (High is the default setting). With High security enabled, every time you open a Word document that contains macros, only digitally signed macros from trusted sources are permitted to run.

For more information about Security Protection, click Microsoft Word Help on the Help menu, type Security in the Office Assistant or the Answer Wizard, and then click Search to view the topics returned.


IMPORTANT NOTE: Authentication and verification of digital signatures requires Internet Explorer 4.x or later. On systems that cannot perform authentication, you should always disable macros when you are not sure of their purpose or functionality. By choosing to disable the macros, you prevent this and any macro virus from running, so that they do no damage. The virus is only activated if you open the attached Word document and choose to enable the macros or if your macro Security Level is set to Low.

How do I make sure that the Word 2000 macro virus protection is turned on?

1. Double-click the Tools menu, point to Macro, and then choose Security.
2. Select the level of security you want. High security allows only macros that have been signed to open. Unsigned macros are automatically disabled. Medium security always brings up the macro protection dialog box that allows you to disable macros if you are unsure of the macros.

IMPORTANT NOTE: If you cannot follow these steps because you cannot find the commands, your computer may already be infected. If so, run antivirus software containing the latest update and scan your system frequently. Support for this particular virus is already available from a number of antivirus vendors. If you cannot run antivirus software, it will be necessary to delete or rename your Normal.dot file. This is the Word global template that is automatically recreated after Word is started. After this is done, repeat the steps above.

For additional information about deleting or renaming the Normal.dot template, see the following article in the Microsoft Knowledge Base:

How do I make sure that my computer will not become infected?

Make sure that the Office macro security levels are set High or Medium as described above. Always choose Disable Macros when you are prompted to do so, if you are not sure of the purpose of the macro in the document. This way, you can open the document and read its contents.

Run the latest antivirus software, and scan frequently. This is how you can make sure that that the macros in documents are safe. Disinfectors for this particular virus are already available from a number of antivirus companies. Also remember to keep your antivirus software up to date by installing the latest signature files for that company. (Most companies creating antivirus applications release a new signature file each month.) For additional information about anti-virus software, click the article number below to view the article in the Microsoft Knowledge Base:

What should I do if my computer has been infected by this virus, or I think it has been infected?

Run antivirus software containing the latest update, and scan your system frequently. Support for this particular virus is already available from a number of antivirus companies.

Make sure that your Office macro security levels are enabled at High or Medium levels. After the virus has been permitted to run, it will disable the virus protection in Word. Remember to make sure that Office security is enabled at these levels by following the steps listed earlier in this article.

What if I have more questions about macro viruses?

For additional information about macro viruses, the "Melissa" virus, and vendors of antivirus software, see the following article in the Microsoft Knowledge Base:
Or try the following Web sites: