Subj: [WebSiteDaily] The Melissa Virus Epidemic
Date: 99-03-28 12:26:16 EST
From: [EMAIL PROTECTED] (Robert W. Neill, Jr.)
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
SPECIAL REPORT
The Melissa Virus
>From WebSiteDaily
==============
Warnings of Computer Virus Issued
http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/1999
032
8/tc/computer_virus_3.html
Experts at Carnegie Mellon University warn of new computer virus
http://cnn.com/US/9903/27/AM-ComputerVirus.ap/
'Melissa' virus infections escalate
Sixty sites reported stricken by Saturday. Expert: Come Monday 'this is going
to be a major problem.'
http://www.excite.com/computers_and_internet/tech_news/zdnet/?article=/n
ews/
19990327/2233130.inp
Epidemic virus infects corporate e-mail
A number of Microsoft Corp. Outlook/Exchange customers -- including Microsoft
itself, as well as Intel Corp. -- are being hit hard by a macro virus that is
replicating infected pornography-related information throughout corporate
email systems.
http://www.excite.com/computers_and_internet/tech_news/zdnet/?article=/n
ews/
19990327/2233030.inp
Melissa Virus Profile On McAfee Site
http://vil.mcafee.com/vil/vm10120.asp
Sendmail Patch For Melissa Virus
http://www.sendmail.com/blockmelissa.html
CERT Information - Melissa Virus
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
Microsoft Patch
http://www.microsoft.com/security/bulletins/ms99-002.asp.
=========================================
CA-99-04-Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999
Systems Affected
� Machines with Microsoft Word 97 or Word 2000
� Any mail handling system could experience performance problems or a denial
of service as a result of the propagation of this macro virus.
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999, we began receiving
reports of a Microsoft Word 97 and Word 2000 macro virus which is propagating
via email attachments. The number and variety of reports we have received
indicate that this is a widespread attack affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in the form of a
user opening an infected Word document) is required for this virus to
propagate. It is possible that under some mailer configurations, a user might
automatically open an infected document received in the form of an email
attachment. This macro virus is not known to exploit any new vulnerabilities.
While the primary transport mechanism of this virus is via email, any way of
transferring files can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa macro or
W97M_Melissa virus.
I. Description
The Melissa macro virus propagates in the form of an email message containing
an infected Word document as an attachment. The transport message has most
frequently been reported to contain the following Subject header:
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two sections.
The first section of the message (Content-Type: text/plain) contains the
following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to
be a document called "list.doc." This document contains references to
pornographic web sites. As this macro virus spreads we are likely to see
documents with other names. In fact, under certain conditions the virus may
generate attachments with documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word2000, the
macro virus is immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to permit
all macros to run when documents are opened in the future. Therefore, the
user will not be notified when the virus is executed in the future.
The macro then checks to see if the registry key:
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo." If that registry key does not exist or does
not have a value of "... by Kwyjibo," the virus proceeds to propagate itself
by sending an email message in the format described above to the first 50
entries in every MAPI address book readable by the user executing the macro.
Keep in mind that if any of these email addresses are mailing lists, the
message will be delivered to everyone on the mailing lists. In order to
successfully propagate, the affected machine must have Microsoft Outlook
installed; however, Outlook does not need to be the mailer used to read the
message.
Next, the macro virus sets the value of the registry key to "... by Kwyjibo."
Setting this registry key causes the virus to only propagate once per session.
If the registry key does not persist through sessions, the virus will
propagate as described above once per every session when a user opens an
infected document. If the registry key persists through sessions, the virus
will no longer attempt to propagate even if the
affected user opens an infected document.
The macro then infects the Normal.dot template file. By default, all Word
documents utilize the Normal.dot template; thus, any newly created Word
document will be infected. Because unpatched versions of Word97 may trust
macros in templates the virus may execute without warning. For more
information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Finally, if the minute of the hour matches the day of the month at this point,
the macro inserts into the current document the message "Twenty-two points,
plus triple-word-score, plus fifty points for using all my letters. Game's
over. I'm outta here."
Note that if you open an infected document with macros disabled and look at
the list of macros in this document, neither Word97 nor Word2000 list the
macro. The code is actually VBA (Visual Basic for Applications) code
associated with the "document.open" method. You can see the code by going
into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message came from
someone who is affected by this virus and they are not necessarily targeting
you. We encourage you to contact any users from which you have received such
a message. Also, we are interested in understanding the scope of this
activity; therefore, we would appreciate if you would report any instance of
this activity to us according to our Incident Reporting Guidelines document
available at:
http://www.cert.org/tech_tips/incident_reporting.html
II. Impact
� Users who open an infected document in Word97 or Word2000 with macros
enabled will infect the Normal.dot template causing any documents referencing
this template to be infected with this macro virus. If the infected document
is opened by another user, the document, including the macro virus, will
propagate. Note that this could cause the user's document to be propagated
instead of the original document, and thereby leak sensitive information.
� Indirectly, this virus could cause a denial of service on mail servers.
Many large sites have reported performance problems with their mail servers as
a result of the propagation of this virus.
III. Solutions
� Block messages with the signature of this virus at your mail transfer
agents.
With Sendmail
Nick Christenson of sendmail.com provided information about configuring
sendmail to filter out messages that may contain the Melissa virus. This
information is available from the follow URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa-
filter.txt
� Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses. In order to
detect and clean current viruses you must keep your scanning tools up to date
with the latest definition files.
� McAfee / Network Associates
http://vil.mcafee.com/vil/vm10120.asp
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
� Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html
� Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
� Encourage users at your site to disable macros in Microsoft WordNotify all
of your users of the problem and encourage them to disable macros in Word. You
may also wish to encourage users to disable macros in any product that
contains a macro language as this sort of problem is not limited to Microsoft
Word. In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection' checkbox). In
Word2000 macro execution is controlled by a security level variable similar to
Internet Explorer (click on Tools/Macro/Security and
choose High, Medium, or Low). In that case, 'High' silently ignores the VBA
code, Medium prompts in the way Word97 does to let you enable or disable the
VBA code, and 'Low' just runs it.
Word2000 supports Authenticode on the VB code. In the 'High' setting you can
specify sites that you trust and code from those sites will run.
� General protection from Word Macro Viruses
For information about macro viruses in general, we encourage you to review the
document "Free Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is
available at.
http://www.nai.com/services/support/vr/free.asp
Acknowledgements
We would like to thank Jimmy Kuo of Network Associates, Eric Allman and Nick
Christenson of sendmail.com, Dan Schrader of Trend Micro, and Jason Garms and
Karan Khanna of Microsoft for providing information used in this advisory.
Additionally we would like to thank the many sites who reported this activity.
------------------------------------------------------------------------
This document is available from:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
------------------------------------------------------------------------
CERT/CC Contact Information
Email: [EMAIL PROTECTED]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other hours, on
U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from:
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web
site:
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to
[EMAIL PROTECTED] and include SUBSCRIBE your-email-address in the
subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in:
http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and
Trademark Office
------------------------------------------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as to
any matter including, but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any kind
with respect to freedom from patent, trademark, or copyright infringement.
