Virus: Melissa Virus Containment Instructions Available At www.keyvision.com - KeyVision Enterprise Configuration Management solution - Technology Tutorial

Edge: Work-Group Computing Report, April 5, 1999

KeyVision Enterprise Configuration Management solution helps contain macro viruses such as the infamous Melissa (W97M/Melissa.A) or PAPA over thousands of machines in minutes - the time it takes to configure one machine against the virus. IS managers can take steps to manually contain Melissa one machine at a time or use KeyVision to automatically contain the virus and lockdown the registry to prevent re-infection throughout their enterprise.

Following are instructions for manually containing Melissa using REGEDT32 or for using KeyVision to lock down registry keys for enterprise-wide prevention.

What Melissa Does * Arrives via email in the form of a Word 97 or Word 2000 document * Disables Macro Virus Protection so user is not warned of its presence * Creates a registry key to remind itself that it has been there * Pulls first 50 contacts from each address list in Outlook * Emails itself to these contacts under the guise of an important message from the user * Overloads mail servers rendering them useless What KeyVision 3.0 Can Do * Lockdown registry keys so virus cannot disable Macro Virus Protection * Query the enterprise for early detection of the virus' presence * Apply KeySets to enterprise registries for proactive protection * Monitor enterprise registries for early confirmation of attack

In conjunction with the proper anti-virus software, KeyVision can help to eliminate the potential threat of damaging macro viruses. Visit the KeyVision Registry Resource site at http://www.keyvision.com/regres for more information on how to protect your enterprise from the Melissa macro virus. Type "Melissa" in the description field. To contain the Melissa virus without the aid of KeyVision:

Log on to every computer in your enterprise as every possible user of that computer. Once logged on, search the registry using REGEDT for the key HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? If found, the virus is present. If not found, create the key with a default value of "...by Kwyjibo". By doing this, the virus will be tricked into thinking that it has already infected the system should it appear in the future. Melissa only runs itself once on each system. You should also apply the change to the default user for any future users of that machine. For additional protection on Windows NT, you can use REGEDT32 to search for the key HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options make sure that the value Enable Macro Virus Protection is set to 1. (A similar action can be taken for EXCEL and the PAPA virus.) Set permissions for that key to Read Only for all users and the system. This will prevent the virus from disabling the macro virus warning. Again, this has to be done on every computer, for every possible user and the default user.

Instructions for containing Melissa quickly and easily using KeyVision: While no virus can be prevented from coming over email, KeyVision can contain the virus should it begin to apply itself to a system. KeyVision does this by locking down the registry settings that the virus needs to manipulate in order to achieve its directive.

Like most macro viruses that are distributed over email, Melissa comes in the form of a Microsoft Word 97 or 2000 document. As it is being opened, it will disable the Macro Virus Protection feature of Word if it is enabled. KeyVision affords the user the ability to lock down the registry key that corresponds to this Word setting. Melissa cannot disable the Macro Virus Protection feature and the user will be warned of future macros.

Melissa also creates a registry entry at HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ with a default value of "...by Kwyjibo". The purpose of this setting is to trick the virus into thinking that it has already infected the computer. Using KeyVision, a query can be applied to an enterprise to see if this key exists. If it does, the user can be notified that his or her computer is infected and measures can be taken to immediately remove the virus. KeyVision can also create this key in advance and apply it to all computers on the enterprise. Should the virus show up, it would think that it has already infected the computer and desist.

KeyVision applies a proactive approach to Macro Virus Protection, and in conjunction with proper anti-virus software can all but eliminate the threat of potentially damaging viruses.

For further details about these issues and how to protect your enterprise against them, go to the Registry Resources site entries for "Protecting Against the Melissa Virus" located at http://www.keyvision.com/regres. At the Registry Resource site you will also find information on many other virus-related issues by searching on the keyword: virus