"It's an e-mail virus! It's a worm!"
No ... it's a SPAM 'BOT.

"Security experts" are debating whether "Melissa" is a new, horribly fiendish macro virus, or a very clever network worm. (Antivirus developers always have a stable full of "experts" whom they wind up like so many Chatty Cathy's for an appreciative audience of reporters.) Again, see my previous column, Remote Explorer of My Eye for a discussion of Internet worms.

Apparently even the macro's author was conscious of this issue; the macro contains these gleeful comments in its VBA code:

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

By Sunday, I was engaging in a playful argument with two gentlemen far more qualified than I to analyze virus alerts, Rob Rosenberger (webmaster of the Computer Virus Myths home page) and George Smith (editor of The Crypt Newsletter, and author of The Virus Creation Labs). Between us, we've discussed whether this is possibly the work of a spammer promoting a series of adult Web sites ... or a if the URLs are simply "sucker bait," inserted to entice users to open the document, and perhaps manually redistribute it to friends.

This last point gave me an idea.

Like a worm, this virus has had such success at some sites, that mail servers have been experiencing very real "denial of service" crises. Unlike a worm, the virus doesn't communicate with other "segments" on connected computers or servers.

Nor is this another "e-mail virus" that "Good Times-style" hoaxes purport to warn us about -- with a very few exceptions, you still can't get a virus just by reading a message. "Melissa" does not represent a major breakthrough in virus authoring.

But IT DOES represent a marvelous evolution in the realm of chain e-mail and "Forwardables." As I discuss in my "e-v-mail" page, "Forwardables" are messages that rely on the USER'S faulty sense of skepticism, and inclination to send the e-mail to as many people as possible. But until now, manual intervention has always been required, in the form of a user falling victim to the embedded "thought virus" and clicking a FORWARD button.

This is clearly not the case with "Melissa." Once the Word file has been opened, the chain e-mail, or "spam," is sent from the user's computer without any manual intervention.

... "Melissa" may well be the first heuristic, autonomic, self-regenerating SPAM 'BOT.

"Open the pod bay doors, please, Hal."

In more ways than one, "Melissa" reminds me of the HAL-9000 super-computer in Stanley Kubrick's masterpiece, 2001: a space odyssey. HAL, as you may recall, was caught in a deception by the Discovery's mission commander, Dave Bowman, during an informal chat. Reacting quickly, HAL fabricated a false warning about a component of the ship's communications system failing within 72 hours ... unless the ship's crew conducted an EVA to retrieve and replace the AE-35 unit. When they did so, and found nothing wrong with it, they considered HAL at fault.

During a subsequent repair attempt, HAL murdered Frank Poole (the ship's second in command), shut down the life support systems of three hibernating survey team members, and trapped Bowman outside the ship. All while professing unrepentent devotion to the true mission of the Discovery, which HAL had been ordered to keep secret from the crew.

Like Dr. Heywood Floyd's fountain pen floating inside the Space Clipper cabin, and the nuclear satellites orbiting the earth outside, HAL was a symbolic heir to the lethal bone that Moonwatcher hurled to the heavens after killing a rival man-ape. Like that bone (and the pen, and the bombs), HAL was an artifact which carried out man's desires to acquire and protect resources, information.

Like HAL, "Melissa" seeks out secret information and protected resources, and then carries out its own ironic agenda.

Unsolicited commercial e-mail, or e-j-mail (as I called it almost three years ago) is a deception that plays on irony. I receive e-j-mail daily, almost hourly, and I have yet to receive a message which is entirely candid about its origin and purpose. Generally, e-j-mail arrives missives like "This is in response to your inquiry," or "You are on this list because you expressed interest...." Rarely are the mail headers in e-j-mail accurate. I'm sure that "Melissa's" LIST.DOC is no different from dozens of other underwhelming adult "spams" that I receive regularly.

"Melissa" goes further than most e-j-mail, by removing any human intervention in its mission to deliver its payload to as many users as possible. It also spoofs the identity of the person who's been infected. As a "spam 'bot," it is almost ideally suited to its purpose -- if its true purpose is to only promote the sites listed in LIST.DOC,... which is doubtful.

George Smith cautioned me that the porn URLs may only be "sucker bait" to entice users to open the document. This is an old trick, a device to deliver the virus. In such cases, the propagation of the virus is the ultimate goal. I concur. "Melissa" may be a "dry run" before a truly malicious version is unleashed. (Already, a copy-cat version called "Papa" has been reported.)

Like HAL-9000 in the film, "Melissa" is a tool created by man, now self-reliant and proceeding on its own. Like HAL, it carries out its mission without supervision, with selfless abandon, completely independent of its creator. The author's intentions are, at the moment, a complete mystery.

Like HAL, "Melissa" cannot be reasoned with. Only "disconnected."

Taking the podium and making an arrogant prediction,... I have no doubt that various "Melissa" warnings will mutate into reconstituted versions of "Good Times." No doubt.

Mind you, it's not a matter of "who," or a matter of "how." Only a matter of "when." Last Friday, I received a warning about the "Happy99" file attachment ... a warning which fudged the details, and warned against opening the e-mail itself. I believe that the same will happen to "Melissa" before the week is out. By this morning, for example, CNN correspondents had been confusing technical details of "Melissa's" M.O. and warning readers who find the telltale e-mail, "don't open it."

In the meantime, here are my first, best suggestions for anyone who is wary of "Melissa." Like all preventative cures, these steps require effort. They're worth it, trust me.

1. If you receive an e-mail message like that described above, DON'T open the attachment. (Well, duh.)



2. Don't open Word attachments and enable macros. Enable "Macro Virus Protection" (see below) and click DISABLE MACROS when you open Word attachments.



3. As always, treat all suspicious file attachments with caution. When in doubt, delete it, and ask the sender what it was.



4. Please resist the impulse to send out your own warning about this. The news is being spread just fine, thank you. Share the link to this page instead. (Don't worry about me, I can handle the bandwidth.)



5. Several antivirus vendors have already posted vaccines and recipes for protecting yourself from "Melissa." Please review their sites. Again, share the links.



• McAfee, Network Associates
• Symantec
• Trend Micro



6. If you're concerned about Word Template Macro viruses, download and install Microsoft's security patch on all your systems:
   
   
   • Review Microsoft's WD97SP.EXE page.
   • Install the Office 97 Service Release 2 (SR-2), if you haven't.
   • Install the security patch.
   • In Word, ensure that the Tools | Options | General | Macro virus protection setting is CHECKED. When you open a suspicious document, you'll be prompted about macros; click the DISABLE MACROS button.
   
   
   
7. Follow the CIAC's recipe for protecting Word's main template, NORMAL.DOT, from insidious macros:

   To password protect the Normal.dot file in Word 97, perform these steps:

   1. Start Word.
   2. Choose the Tools, Macro, Visual Basic Editor command.
   3. In the Project window of the Visual Basic Editor, click on Normal.
   4. Choose the Tools, Normal Properties command, Protection tab.
   5. Check the Lock Project for Viewing check box and type in a password twice.
   6. Close the dialog box, close the Visual Basic editor.
   7. Quit Word.

   The next time you start Word, the normal.dot template will be protected.

   WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it.

   
   
   
8. If you've made it this far, still paranoid, try my very cool method to protect yourself from unleashing Word macro viruses from Outlook e-mail messages. That's right, folks, open Word documents, in Outlook, with total confidence! Read on....

Remap the default action for Word documents to Word 97 Viewer (tested in Windows NT):

1. Download Microsoft's Word 97 viewer for Windows 95, 98 and NT. This freeware utility displays and prints Word documents WITHOUT running any macros.
2. Install the Word 97 Viewer. If you already have Word 97 installed, Setup will warn you that making the viewer the DEFAULT application for Word files will interfere with your ability to use Word as your e-mail editor (WordMail). Select the option to open Word files in Word by default. Complete the Word Viewer installation.
3. In Explorer, open the Options | File Types tab.
4. Locate the "Microsoft Word Document" registered file type.
5. Here's where you'll need to exercise due care. Click the EDIT button.
6. You will probably see the "Open" command in bold, indicating that it is the default action. Identify the "WordView" command. Highlight that command, and click the SET DEFAULT button. Click OKAY as necessary to complete your changes.
7. Now, when you right-click on a Word file, "Open" is not the default action. Opening the file in the Word 97 Viewer is. Select Open manually to edit Word files.
8. In Outlook 98, double-clicking (or opening) a Word file in an e-mail message will launch the file in the Word 97 viewer, not Word.



9. In most normal contexts (say, double-clicking a Word file in Explorer), you can hold down the SHIFT key to stop any macros from running. This also works when you're creating a new document from a template. Just keep holding the SHIFT key down until the document displays.
   
   For some modicum of protection opening files with Word, you can modify the "Open" command to prevent running the usual "auto macros." Since some Word macro viruses (mind you, not all of them) will run themselves within one of the automatic macros (AutoExec, AutoNew, AutoOpen, AutoClose, AutoExit), you can open documents and avoid any functions that are associated with the macros.
   
   Again, a certain level of Windows expertise and caution is required to implement this hack.



1. Follow the steps above for remapping Word files to the Word 97 Viewer, up to Step 8.E.



2. Identify the "Open" command in bold, and click the EDIT button.



3. You should see the following text:
   
   "C:\Program Files\Microsoft Office\Office\winword.exe" /n



4. Add the switch /m to this line so that it reads
   
   "C:\Program Files\Microsoft Office\Office\winword.exe" /n /m

For more information on preventing automatic macros from running, ask the annoyware Word Assistant "Control what happens when you start Microsoft Word?", or seach in the Visual Basic help for the topic "Auto Macros."