Melissa mutates into copycat virus via RTF

The Melissa virus, which swept across networks around the world in April, has popped up again in a mutated format that may have occurred when it inadvertently came in contact with another virus. The latest variation on Melissa uses a macro virus to replicate itself as the original did, but it now changes the file extension of the Word document from a .doc to a .rtf format.

The Melissa virus, which swept across networks around the world in April, has popped up again in a mutated format that may have occurred when it inadvertently came in contact with another virus.

The original Melissa virus had clogged networks by sending itself to the first 50 names in an infected user's address book. The latest variation on Melissa uses a macro virus to replicate itself as the original did, but it now changes the file extension of the Word document from a .doc to a .rtf (Rich Text File, or RTF) format. This may effectively camouflage the virus from anti-virus systems that are looking only for the .doc version of the attack.

The virus is not actually an RTF document, however; it is simply a Word file masquerading as an RTF file, because RTF files cannot contain macro documents.

"An RTF file cannot contain macros, so it cannot contain macro viruses," said Sal Viveros, group marketing manager for Total Virus Defense at Network Associates, in Santa Clara, Calif., which was contacted about the virus by users. "But with Word you can name your extensions anything you want, so all this virus writer did was change the list.doc in Melissa to list.rtf."

The RTF Melissa virus is similar to the CAP virus, which was discovered in 1997 and altered .doc formats to .rtf formats. CAP was summarily added to anti-virus protection application lists, but the similarity of the two viruses -- and the possible results of an interaction between the two -- has also lead Viveros to speculate that the two viruses might have met and mutated in the wild.

If a system that was infected with the CAP virus also contracted Melissa, then CAP could have altered the Melissa files to replicate as RTF files and could continue to spread the infection.

"It could have been that someone had the CAP virus on the system that was infected by Melissa," Viveros said. "Maybe it was accidental that this was changed to RTF."

However, there is no way to determine whether this has been the case, according to Viveros.

This new version of the Melissa virus is one of many copycat viruses that have been discovered since the initial outbreak of the virus.

To protect against the latest version of Melissa, anti-virus vendors recommend that users keep their anti-virus lists regularly updated and be informed of the dangers of opening suspicious macros, especially ones that fit the Melissa profile.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]