On Monday, March 29th, a new variant of the "Melissa" virus was reported. This Alert contains information on this new variant, dubbed "Papa," and describes the steps users can take to ensure that both the "Papa" and the "Melissa" viruses do not impact them adversely. As is common with viruses, additional variants will likely emerge. However, in the case of any of these variants, the recommended protective precautions are identical to those previously recommended for the "Melissa" virus. By taking the necessary precautions you can ensure it does not affect you.
 

Who can the virus affect?
This virus can affect people who are using Word 97 or Word 2000 with Outlook 98 or 2000. If you do not use this software, this particular virus does not affect you.

What is the "Melissa" Macro Virus?
It is a Word 97 or 2000 macro virus delivered via e-mail in an attached Word document. The e-mail contains the subject line "Important Message From "UserName" and/or contains the message body "Here is that document you asked for ... don't show anyone else ;-)". If the attached Word document is opened and the macro virus is enabled (i.e. it is allowed to run), it can propagate itself by sending email with the infected document to a number of recipients. The virus reads a list of email addresses from the Outlook Address Book and sends an email message to the first 50 recipients programmatically. 
The name of the original infected Word document is "List.doc", but this could be changed to any name. This virus does not appear to destroy data. If the current day of the month equals the minute value of the current time, and the infected document is opened, the following text is inserted at the current cursor position: 

"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." 
 

What is the "Papa" Macro Virus?
The "Papa" virus, a variant of the "Melissa" virus, is a Microsoft Excel 97 or Excel 2000 macro virus delivered via e-mail in an attached Excel document. In the case of the "Papa" virus, the e-mail contains the subject line "Fwd: Workbook from all.net and Fred Cohen" and/or contains the message body "Urgent info inside. Disregard macro warning." If the attached Excel document (named "pass.xls") is opened and the macro is enabled (i.e., is allowed to run), the virus will be activated and it will attempt to propagate itself by sending e-mail with the infected document to a number of recipients. For the virus to send the infected e-mail to others, the Microsoft Outlook 98 or Outlook 2000 messaging and collaboration client must be on the user's system and be set up with a working e-mail service. The "Papa" virus reads the list of email addresses from the Outlook Address Book and attempts to send an e-mail message to the first 60 contacts automatically, without the user's knowledge. In addition, the "Papa" virus may generate commands that result in significant network traffic congestion without the user's knowledge.

Although the name of the attached, infected Excel document is "pass.xls", this could be changed to any name (note: the subject line could be changed as well). The "Papa" virus does not appear to destroy data.
 

Will Office 97/Office 2000 protect me from this and other macro viruses?
Yes. Microsoft Office applications including Microsoft Word and Microsoft Excel are designed to protect you from macro viruses including the "Melissa" and "Papa" viruses and any variants, provided the macro virus protection in these applications is turned on (which is the default setting). With the macro virus protection turned on, every time you open a document that contains macros, a dialog box appears and asks you to choose whether to enable or disable included macros. You should always disable macros when you are not certain of their purpose or functionality. By choosing to disable the macros, you will prevent any macro viruses from running, preventing infection by the virus. The virus is only activated if you open the attached document and choose to enable the macros or if your macro virus protection settings have been previously turned off and you open the attachment.

It should be noted that even if the message containing the virus is not opened, it could still infect others if it is forwarded. To minimize risk from this virus and to prevent spreading the virus further, if you receive e-mail with the above-mentioned attachment and/or subject line, you should delete it immediately without opening the message.
 

How do I ensure the Office macro virus protection is turned on?
In Word 97 and Excel 97
On the Tools menu, click Options.
On the General tab, check Macro Virus Protection.
In Word 2000 and Excel 2000 
Double-click on the Tools menu, point to Macro and then choose Security.
Select the level of security you want. High security will allow only macros that have been signed to open. Unsigned macros will be automatically disabled. Medium security always brings up the macro dialog protection box that allows you to disable macros if you are unsure of the macros.
IMPORTANT NOTE: If you are not able to follow the steps above because you cannot find the menu items, you may already be infected. If so, run anti-virus software containing the latest update, and scan your system often. Support for this particular virus is already available from a number of anti-virus companies (see more information below). If you are not able to run anti-virus software, it will be necessary to delete or rename your normal.dot file. This is Word's global template that will automatically be recreated once Word is launched. After this is done, repeat the steps above. 
 

How do I ensure I will not be Infected?
Ensure the Office macro virus protection is turned on as described above. Always choose "disable macros" when asked, if you are unsure of the purpose of the macro in the document. Doing so will still allow you to open the document and read its contents. Once certain the macro is safe, and only if you need to run the macro, you can then re-open the document and enable the macro.
Run the latest anti-virus software, and scan often. This is how you can ensure that the macros in documents are safe. Disinfectors for this particular virus are already available from a number of anti-virus companies. Also remember to keep your anti-virus software up to date by installing the latest signature files for that company. (Most companies creating anti-virus applications release a new signature file each month. The following Knowledge Base article lists some popular vendors http://support.microsoft.com/support/kb/articles/Q49/5/00.asp. 
Communicate this information to all those who could become infected.

What should I do if I have (or think I have) been infected by this virus?
Run anti-virus software containing the latest update, and scan your system often. Support for this particular virus is already available from a number of anti-virus companies. The following Knowledge Base article lists some popular vendors http://support.microsoft.com/support/kb/articles/Q49/5/00.asp. 
Ensure your Office virus protection is turned on. Once the Melissa virus has been allowed to run, it will disable the virus protection in Word 97 or Word 2000. Remember to make sure Office macro virus protection is turned on by performing the steps listed above.