The Melissa virus, a Microsoft Word macro virus, was but a simple Word macro virus in a long line of Word macro viruses. It differed only in "the speed in which it spread," according to Richard Pethia of CERT1.

Ever since the original winword.concept virus came out in 1995, one copycat macro virus after another came out with varying payloads. This concept virus prompted Microsoft to make the Word Document and Template (.DOT) format information available to anti-virus vendors. Unfortunately, no easily searchable Internet sites provide an exact date for when this was done, but it was likely done around 1996 or 1997.

Word macro viruses spread because of Word's ability to interpret a file's type regardless of its filename extension. Word will recognize a Rich Text Format document, a Word Template, a Word Document, and many third-party document types regardless of their filenames. This allowed virus writers to create Templates with macro code which looked like Documents. Even in 2006 this is a desired feature, and was available in every version of Word since Word 6.0 for Windows 3.1.

Since those times, anti-virus vendors included Word documents in their scans for known viruses, even though Word 95's second revision included a "macro virus protection" switch in one of their options panels which prevented macros in documents from launching. Every version of Word since Word 95's second revision included this switch, and older versions could still use the scanprot2 macro developed by Microsoft to parse Templates and remove all macros.

In spite of Scanprot and Word's later inclusion of macro virus protection, anti-virus vendors insisted their products could detect and remove macro viruses from infected templates posing as documents. When Melissa first came along in 1999, every anti-virus scanner failed to detect it. Other products, along with Word itself, could catch it and remove it, but popular scanners could not catch Melissa without an update. By the time updates were available, it was far too late.

Thus ends the first part of Melissa's Ultimate Lesson:

Popular anti-virus software failed to do its job.

Melissa slipped past anti-virus gateways on mail servers. It slipped past anti-virus extensions in e-mail applications. It slipped past desktop virus scanners. Yet Word -- a Microsoft product -- could catch Melissa before Melissa was written at least two years before Melissa's outbreak.

In spite of this, Pethia of CERT, and others, insisted that we should stay with "tried and true" security products, even though they failed us.

Thus ends the second part of Melissa's Ultimate Lesson:

We can catch viruses before the fact. Don't let the 'experts' tell you otherwise.

  1. http://www.pan-am.ca/antiwindowscatalog/?mode=rant&id=20
  2. http://support.microsoft.com/kb/q133895/
Not footnoted but noteworthy: http://www.theregister.co.uk/2006/01/24/uk_gov_wmf_attack/ -- UK Government repels zero-day WMF attack (from Chinese hackers no less) -- The Register