Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

W97M/Melissa.W virus (2001)

CATEGORY: Media flops, media fiascoes

Vmyths.com classifies the January 2001 Melissa hysteria as an overblown threat combined with serious misinformation:

  1. This particular virus appeared last year. It doesn't qualify as "new" — yet some antivirus vendors declared it new because they couldn't detect a 1yr-old virus. (See below if you want to know why certain antivirus programs failed their duty.) This isn't the first time antivirus programs failed to detect an aging virus.

  2. Reporters once again talked to public relations employees who fall prey to False Authority Syndrome.

  3. Some antivirus vendors acknowledged the age of this virus, but Vmyths.com believes many reporters made an incorrect assumption in their stories. Most computer users believe antivirus software only fails to detect new viruses. This belief perhaps clouded reporters' ability to recognize the age of this virus.

  4. The media can't agree on a name for the virus in question. Reporters dubbed it with at least five different names so far; at least one reporter mistook it for a different virus. However, we shouldn't blame reporters for failing to agree on a name until antivirus vendors agree on a naming convention.

  5. Many reporters incorrectly described (or failed to describe) the cross-platform threat to their readers. Then again, Vmyths.com believes many PC users dismissed the threat as irrelevant because it involved "Macintosh" and "Word 2001." Word for Windows 97 can execute some macro viruses saved in Word 2001 for Macintosh, and W97M/Melissa.W falls into this category.

...So, now you wonder why some antivirus programs couldn't detect a 1yr-old virus. Three serious issues combined to make it happen.

The first issue concerns the way antivirus vendors scan for known Word macro viruses. Some products scan the human-readable macro source code; other products scan the machine-readable compiled macro code. Word template files contain both versions of the macro code.

The second issue concerns an error in the Word 2001 for Macintosh file format. The file format error doesn't affect Microsoft Word users, but it did affect some antivirus programs. This leads us to the third issue: some antivirus vendors failed to do adequate software testing.

Here's a simple view of what probably happened:

  1. An unprotected Macintosh user opened an infected Word template file in a freshly installed version of Word 2001. It converted the file, compiled the macros, and executed the virus code. However, W97M/Melissa.W couldn't transmit itself to others from a Macintosh system.
  2. The Macintosh user (not the virus) sent the newly modified file to a PC user who runs Word for Windows 97 or better and Outlook 98 or better. It probably happened in a company where Mac & PC users mingle.
  3. Some antivirus programs detected W97M/Melissa.W because they correctly scanned macro source code in a Word 2001 file. Other antivirus programs missed it because they incorrectly scanned compiled macro code in a Word 2001 file.
  4. The PC user opened the Word 2001 file in Word for Windows 97 or better. It ignored the file format error, compiled the macros, and executed the virus. W97M/Melissa.W transmitted the (unchanged) Word 2001 file to others via Outlook 98 or better.
  5. Go back to step 3.
Computer security firms often blame Microsoft when their own products fail to protect users. Vmyths.com predicts antivirus vendors will blame their failures on Microsoft's Word 2001 for Macintosh file format — without addressing the shortcomings in their virus detection methods or their software testing methods.

Last updated: 2001/2/2