This information came from Microsoft in reference to protecting yourself against a computer virus called 'Melissa'. Certainly, many of you have heard of "The Melissa Virus" through local and national media sources. The information provided below will help you to protect and sanitize your environment from this virus. Updated information will continue to be available on http://officeupdate.microsoft.com/articles/macroalert.htm Thank you, Microsoft Education Customer Unit _______________________ Melissa Word Macro Virus The attached Premier alert describes the Melissa virus that is effecting email users worldwide. While the Melissa virus itself does not do real damage to a person's PC system or to MS Word, the virus replicates by email and thus can create a mail storm. This mail storm will impact any messaging environment and the overall impact will be dependent on the number of mail messages a person or company lets through. Multiple alerts have also been published by CERT - or Computer Emergency Response Team, the CIAC - Computer Incident Advisory Capability, and the NIPC - National Infastructure Protection Center, and the FBI. The most comprehensive notices and means of protection/prevention can be found at the CERT & CIAC sites: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html http://www.ciac.org/ciac/bulletins/j-037.shtml These sites are being updated regularly. Microsoft believes the best defense is a strong offense. This means aggressive action should be taken to limit the spread of the virus, scanning all documents with the latest virus updates, and in educating all users. Additionally any messaging system, site, or location which is suspect should be isolated until it is cleaned and all points of entry are protected. In addition to the suggestions and solution listed above Microsoft also recommends the following preventative measures to our Premier customers with Exchange. � Check with your virus software vendor to download signature updates specific to the Melissa virus. Most vendors have provided these updates over the weekend. � All SMTP entry points to one's messaging system should at the least scan all inbound and outbound documents/attachments. If necessary, customers should be prepared to drop these connections to prevent the spread of the Melissa virus. � All connections between disparate messaging systems, messaging sites, or messaging servers within a customer's infrastructure should having scanning software in place for inbound/outbound documents/attachments. If necessary customer's should be prepared to drop this connections to prevent spreading. � Customers should be using their internal alert process to notify their users to the spread and prevention (voicemail, Email, Intercom, and etc..). - even go as far as distributing flyers by hand if necessary. � Educate endusers on how to use outlook rules to delete infected messages. The attached word document describes how to create client side rules in Outlook. � Because the virus sends mail to the first 50 users in each address book, 52 NULL address book entries should be added to the top of the GAL and all other address containers which could be used for name resolution. To do this, you need to create 52 distribution lists that don't contain any users, then add them to the top of the GAL and all recipient containers. Once infected here is what can be done to sanitize. � Once infected, customers should be the good net citizen and stop the spread by turning off the Internet Mail Connectors, both inbound and outbound, thus disconnecting from the rest of the world until they have the appropriate scanning software in place on their gateways. � If MTAs are backing up, you will need to use findbin tool to purge the MTAs (see below). � Clean their stores with either Melissa Exmerge or the Microsoft Store Sanitizer mss.exe (see below). � Customers should verify their Address Books have been updated with the suggested Null entries to prevent further spread of the virus. � Customers should be updating all of their virus scanning software. Virus software vendors have been updating their websites over the weekend with signature updates. � Customers should disable macros in MS Word where possible. For customers with Exchange, Microsoft has several utilities it is working on to help alleviate the problem. � Microsoft is currently providing utilities to customers, which will assist in the cleanup of problems associated with the Melissa virus. These utilities are available in the file Melissa-virus.zip located at FTP://ftp.Microsoft.com/transfer/outgoing/bussys/mail. This zip file contains multiple tools and their associated readme documents describing the utilities and their use. As more utilities become available, they will be incorporated into this file. Please visit the site regularly, checking the file date to determine if additional utilities have been provided. � Currently included in this file are the following utilities / documents: Melissa-Virus Removal Procedure Explanation.doc - General Q&A surrounding eradication procedures Virusclean.doc - Word Document that gives you a macro button to clean Melissa virus MSS.exe - this is the preferred tool for cleaning your store as it is faster than Melissa exmerge and searches the entire store; can be run against live server but the user load can affect performance; can specify input string to search on; this will be the preferred method of cleaning should the virus mutate by changing the subject line. Melissa Exmerge - a modified version of exmerge.exe purges messages from the store; slower than mss.exe, but does not require a MAPI profile on the server; searches for hardcoded string "Important message from" and moves to .pst file; only searches inbox/outbox/sentmail; server can be online FindBin - purges the MTA of the offending email messages; MTA needs to be offline IMC cleaner - IMC needs to be shut down to use � Additionally, a revision of mss.exe entitled mssb.exe is also available for download at the same site. This utility can be run periodically and requires no user intervention to ok deletion of files. � One additional utility is accessible only via CPR and has been going through extensive testing and updating. This is an update to the ISINTEG utility which ships with Exchange and is available for all server version and OS platforms (Intel/Alpha). Release of this is being controlled until the confidence level of the overall impact to the Exchange environment is known. The development team has been working all weekend to ensure success. While this is a fast utility, the store must be offline to use it. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
