As for the question posed in the subject, I was under the impression that a virus ran on one single machine and that was the end of it's story. Someone had to physically put it onto your machine for it to get there and when it was done with you, that particular program was finished.
With a worm, however, the program doesn't "want" to "die" on your machine. It has the ability to transfer between machines that are connected through some sort of networking protocol.
So, in the case of Melissa, I would think that it SHOULD be called a worm for the simple fact that it transfers itself through email (TCP/IP). My only doubt lies in the fact that Central Command has also labled it a virus.
Someone said they didn't even know what Melissa does, so below is an copy of what Central Command posted to their web site recently. BTW, if what Central Command says about Melissa is true, I can find out whether I'm infected with Melissa by using regedit.exe and Ctrl+F;-)
This macro virus replicates under Word 8 and Word 9 (Office97 and Office2000), infects Word document and templates, and sends its copies in Email messages. The virus has trigger routine, changes the system registry, disables Word macro-virus protection.
The virus is able to spread to Office2000 (Word ver.9) documents. This possibility is based on Office "convertation" feature. When new Office version opens and loads documents and templates created by previous Word versions, it converts data in documents to new formats. The macro program in files are also converted, including virus macros. As a result the virus is able to replicate itself under Office2000. In case the virus is run in Office2000 it performs additional action: it disables (sets to minimal level) Office2000 security settings (anti-virus protection).
The virus code contains one module named "Melissa" with one auto-function in it: "Document_Open" in infected documents, or "Document_Close" in NORMAL.DOT (global macros area). The virus infects the global macros area on an infected document opening, and spreads to other documents on their closing. To infect documents and templates the virus copies its code line-by-line from infected object to victim one. In case the NORMAL.DOT is being infected, the virus names its program in module as "Document_Close", when the virus copies its code from NORMAL.DOT to a document, the virus names it "Document_Open". As a result the virus installs itself into the Word application at the same time infected document is opened, and affects other documents only when they are closed.
To send its copies in email messages the virus uses VisualBasic abilities to activate other Microsoft applications and use their routines: the virus gets access to MS Outlook and calls its functions. The virus gets the addresses from Outlook database and sends to all of them a new message. This massage has: The subject: "Important Message From [UserName]" (UserName is variable) Message body: "Here is that document you asked for... don't show anyoneelse;-)"
The message also has attached document (needless to say that it is infected) - the virus attaches the document that is being edited now (active document). As a side effect of this way of spreading the user's documents (including confidential ones) can be sent out to the Internet. The virus sends infected emails only one time. Before sending the virus checks system registry for its ID stamp:
HKEY_CURRENT_USER\Software\Microsoft\Office\ "Melissa?" = "... by Kwyjibo"
If this entry does not exist, the virus sends e-mails from infected computer, and then creates this entry in the registry. Otherwise the virus jumps over the email routine. As a result the virus sends infected email messages only once: on next attempts it locates the "Melissa?=" entry, and skips it.
The virus also have trigger routine that is activated if current day number is equal to current minutes, each time virus macros get control. This routine inserts the text into the current document:
Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
The virus has the comments:
WORD/Melissa written by Kwyjibo Works in both Word 2000 and Word 97 Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! Word -> Email | Word 97 Word 2000... it's a new age!
Slashdot Mirror
As for the question posed in the subject, I was under the impression that a virus ran on one single machine and that was the end of it's story. Someone had to physically put it onto your machine for it to get there and when it was done with you, that particular program was finished.
;-)
- --
... don't show anyoneelse ;-)"
... it's a new age!
With a worm, however, the program doesn't "want" to "die" on your machine. It has the ability to transfer between machines that are connected through some sort of networking protocol.
So, in the case of Melissa, I would think that it SHOULD be called a worm for the simple fact that it transfers itself through email (TCP/IP). My only doubt lies in the fact that Central Command has also labled it a virus.
Someone said they didn't even know what Melissa does, so below is an copy of what Central Command posted to their web site recently. BTW, if what Central Command says about Melissa is true, I can find out whether I'm infected with Melissa by using regedit.exe and Ctrl+F
-----------------------------------------------
This macro virus replicates under Word 8 and Word 9 (Office97 and Office2000), infects Word document and templates, and sends its copies in Email messages. The virus has trigger routine, changes the system registry, disables Word macro-virus protection.
The virus is able to spread to Office2000 (Word ver.9) documents. This possibility is based on Office "convertation" feature. When new Office version opens and loads documents and templates created by previous Word versions, it converts data in documents to new formats. The macro program in files are also converted, including virus macros. As a result the virus is able to replicate itself under Office2000.
In case the virus is run in Office2000 it performs additional action: it disables (sets to minimal level) Office2000 security settings (anti-virus protection).
The virus code contains one module named "Melissa" with one auto-function in it: "Document_Open" in infected documents, or "Document_Close" in NORMAL.DOT (global macros area). The virus infects the global macros area on an infected document opening, and spreads to other documents on their closing. To infect documents and templates the virus copies its code line-by-line from infected object to victim one. In case the NORMAL.DOT is being infected, the virus names its program in module as
"Document_Close", when the virus copies its code from NORMAL.DOT to a document, the virus names it "Document_Open". As a result the virus installs itself into the Word application at the same time infected document is opened, and affects other documents only when they are closed.
To send its copies in email messages the virus uses VisualBasic abilities to activate other Microsoft applications and use their routines: the virus gets access to MS Outlook and calls its functions. The virus gets the addresses from Outlook database and sends to all of them a new message. This massage has: The subject: "Important Message From [UserName]" (UserName is variable) Message body: "Here is that document you asked for
The message also has attached document (needless to say that it is infected) - the virus attaches the document that is being edited now (active document). As a side effect of this way of spreading the user's documents (including confidential ones) can be sent out to the Internet. The virus sends infected emails only one time. Before sending the virus checks system registry for its ID stamp:
HKEY_CURRENT_USER\Software\Microsoft\Office\ "Melissa?" = "... by Kwyjibo"
If this entry does not exist, the virus sends e-mails from infected computer, and then creates this entry in the registry. Otherwise the virus jumps over the email routine. As a result the virus sends infected email messages only once: on next attempts it locates the "Melissa?=" entry, and skips it.
The virus also have trigger routine that is activated if current day number is equal to current minutes, each time virus macros get control. This routine inserts the text into the current document:
Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
The virus has the comments:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 Word 2000