While we normally don't bother with Microsoft Office macro viruses, the
"Melissa" virus is especially threatening and borders on a trojan though the
actual trojan at work is Microsoft Word. The antivirus vendors haven't quite
caught up yet with solutions for IT managers faced on the server side with
Melissa today. We manufacture the BOClean antitrojan software but consider
Melissa as just another run of the mill Microsoft macro virus with a bit more
teeth than usual and thus we do not plan to cover this particular nasty in
our BOClean software.

 Since a number of system admins are going to be facing a nasty day, here's a
quick and dirty solution which will allow them to at least parse the incoming
and outgoing email and destroy the virus on its way in or out of their
systems. For those who have not yet encountered this virus, live samples can
be obtained from www.dejanews.com by searching for messages containing the
subject string "Important message from" and decoding the MIME attachments.

 Melissa is just another macro virus with a difference - quite a few in fact.
But because it does not execute but is instead OPENED by MS Office (the
actual trojan) BOClean cannot "see" it. Since all of the antivirus vendors
handle these things, it's merely a matter of them getting updates out that
actually detect it (there apparently were problems with the early releases by
Symantec and NAI).

 Set up the POP3 and SMTP servers to dump ANY DECODED attachments with a .DOC
extension on them and then grep the following string (ASCII): "by Kwyjibo"

 If you're already running a script to handle attachments on inbound email,
adding the grep for these strings should only take a minute or two. Be sure
to trap any .DOC with that string in it both incoming and outgoing (SMTP and
POP) and discard the attach if encountered. MIME decoding of course will be
needed. If you want to grep the MIME before it is detached, the following
MIME fragment should do handily to trap it before decoding (be sure to
preserve CR's below):

UgBvAG8AdAAgAEUAbgB0AHIAeQAAAAgATWVsaXNzYT8gACAC
JQAiAgMArgAOAC4uLiBieSBLd3lqaWJvBgCVABYABQH//////////wMAAAAGCQIAAAAAAMAAAAAA
AABGAAAAAAD2A0K+d74BYHmhQ753vgE0AAAAQBQAADAAMAAxAFQAYQBiAGwAZQAAADQCIQBAAiEA
QgKLADAAMAAwAOUAIAA+AiAANAIlAEACAQAuAEQCMgAuAKQAAQAnAEYCDgACAP/

 Anyone using MS Office97 or 2000/Word/Excel/Outlook is in the crosshairs. If
the above string is not found in the MIME attach or the plaintext string from
decoded mime above that does not appear, it's OK to release the attachment to
the recipient(s). Melissa CANNOT cause any problems for systems where
Microsoft office products or components are NOT in use.

 Please also note that if your mail server is Microsoft Exchange, then you're
SOL because Microsoft Exchange server does NOT permit dumping of inbounds when
RPC is in use instead of POP3/SMTP. Unbelievable. And I thought NT was "secure."

 Kevin McAleavey is the author of Privacy Software Corporation's NSClean,
IEClean and BOClean software and wrote this article.