Mailing-List: Gunadarma University (http://www.gunadarma.ac.id) Mailing List. Reply-to: [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Received: (qmail 18682 invoked from network); 31 Mar 1999 01:49:55 -0000 Message-ID: <[EMAIL PROTECTED]> Date: Wed, 31 Mar 1999 08:47:45 +0700 From: Virgani Dirgacahya <[EMAIL PROTECTED]> Organization: Dexa Medica, Factory, Plg Indonesia X-Mailer: Mozilla 3.0Gold (WinNT; I) MIME-Version: 1.0 To: [EMAIL PROTECTED], [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-MDaemon-Deliver-To: [EMAIL PROTECTED] Subject: [GUNADARMA] Virus Mellisa >Old-Return-Path: <[EMAIL PROTECTED]> >From: "Rob Slade, doting grandpa of Ryan and Trevor" <[EMAIL PROTECTED]> >Organization: Vancouver Institute for Research into User >To: [EMAIL PROTECTED] >Date: Tue, 30 Mar 1999 16:51:23 -0800 >Reply-to: [EMAIL PROTECTED] >CC: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] >Priority: normal >Subject: [Secure-NT] "Melissa" macro virus >Resent-From: [EMAIL PROTECTED] >X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/444 >X-Loop: [EMAIL PROTECTED] >Resent-Sender: [EMAIL PROTECTED] > >The Melissa macro virus >A report prepared by Robert M. Slade > > >The following is an attempt to bring together the information about >the Melissa virus. It is taken from the most reliable available >sources. Additional sites have been listed at the end of the article. >I have not added a copyright line to this message in order to allow it >to be used as needed. I will be posting the latest updated version of >this article at http://sun.soci.niu.edu/~rslade/melissa.txt and >http://victoria.tc.ca/techrev/melissa.txt. > > >The virus, generally referred to as W97M.Melissa.A (with some >variations: Symantec, in a rather strained effort to be cute, seems to >be calling it "Mailissa"), is a MS Word macro virus. This means that, >if you don't use Word, you are safe. Completely safe. (Except for >being dependent upon other people who might slow their/your mail >server down. More on that later.) If you need to look at MS Word >documents, there is a document viewer available (free, as it happens) >from Microsoft. This viewer will not execute macros, so it is safe >from infection. > >In the messages about Melissa, there have been many references to the >mythical and non-existent "Good Times" virus. Note that simply >reading the text of a message still cannot infect you. However, note >also that many mailers, in the name of convenience, are becoming more >and more automated, and much of this automation concerns running >attached files for you. As Padgett Peterson, author of one of the >best macro virus protection tools, has stated, "For years we have been >saying you could not get a virus just by "opening E-Mail. That bug is >being fixed." > >Melissa does not carry any specifically damaging payload. If the >message is triggered there will be text added to the active document. >The mailout function can cause a large number of messages to be >generated very quickly, and this has caused the shutdown of a number >of corporate mail servers. > >If you have Word set with macros disabled, then the virus will not >active. However, relying on this protection is a very dangerous >proposition. Previous macro viruses have also killed macro protection >in Word, and this one does as well. > >The name "Melissa" comes from the class module that contains the >virus. The name is also used in the registry flag set by the virus. > >The virus is spread, of course, by infected Word documents. What has >made it the "bug du jour" is that it spreads *itself* via email. We >have known about viruses being spread as attachments to email for a >long time, and have been warning people not to execute attachments (or >read Word documents sent as attachments) if you don't know where they >came from. Happy99 is a good example: it has spread very widely in >the past month by sending itself out as an email attachment whenever >it infects a system. > >Melissa was originally posted to the alt.sex newsgroup. At that time >it was LIST.DOC, and purported to be a list of passwords for sex >sites. I have seen at least one message theorizing that Melissa is >someone's ill-conceived punishment for viewers of pornography. This >hypothesis is extremely unlikely. Sending a virus to a sex related >newsgroup seems to be a reliable way to ensure that a number of stupid >people will read and/or execute your program, and start your new virus >off with a bang. (No pun intended.) > >If you get a message with a Melissa infected document, and do whatever >you need to do to "invoke" the attachment, and have Word on your >system as the default program for .doc files, Word starts up, reads in >the document, and the macro is ready to start. If you have Word's >"macro security" enabled (which is not the default) it will tell you >that there is a macro in the document. Few people understand the >import of the warning, and there is no distinction between legitimate >macros and macro viruses. > >Because of a technical different between normal macros and "VBA >objects," if you ask for a list of the macros in the document, Melissa >will not show up. It will be visible if you use the Visual Basic >Editor, but only after you have loaded the infected file. > >Assuming that the macro starts executing, several things happen. > >The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word >9) is running. If so, it reduces the level of the security warnings >on Word so that you will receive no future warnings. In Word97, the >virus disables the Tools/Macro menu commands, the Confirm Conversions >option, the MS Word macro virus protection, and the Save Normal >Template prompt. It "upconverts" to Word 2000 quite nicely, and there >disables the Tools/Macro/Security menu. > >Specifically, under Word 97 it blocks access to the Tools|Macro menu >item, meaning you cannot check any macros. It also turns off the >warnings for conversion, macro detection, and to save modifications to >the NORMAL.DOT file. Under Word 2000 it blocks access to the menu >item that allows you to raise your security level, and sets your macro >virus detection to the lowest level, that is, none. (Since the access >to the macro security menu item is blocked, I do not know how this >feature can be reversed, other than programmatically or by >reinstallation.) > >After this, the virus checks for the >HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key >with a value of "... by Kwyjibo". (The "kwyjibo" entry seems to be a >reference to the "Bart the Genius" episode of the "Simpsons" >television program where this word was used to win a Scrabble match.) > >If this is the first time you have been infected (and this "first >time" business is slightly complicated), then the macro starts up >Outlook, in the background, and sends itself as an attachment to the >"top" 50 names in *each* of your address lists. (Melissa will *not* >use Outlook Express.) Most people have only one (the default is >"Contacts"), but if you have more than one then Outlook will send more >than 50 copies of the message. Outlook also sorts address lists such >that mailing lists are at the top of the list, so this can get a much >wider dispersal than just fifty copies of the message/virus. There >was also a mention on one message about MAPI and Exchange servers, >which may give access to a very large number of mailing lists. From >other reports, though, people who use Exchange mail server are being >particularly hard hit. Then again, people who use Exchange are >probably also standardized on Word and Outlook. > >Some have suggested setting this registry key as a preventative >measure, but note that it only prevents the mailout. It does not >prevent infection. If you are infected, and the registry key is >removed at a later date, then a mailout will be triggered the next >time an infected document is read. > >Once the messages have been sent, the virus sets the Melissa flag in >the registry, and looks for it to check whether or not to send itself >out on subsequent infections. If the flag does not persist, then >there will be subsequent mass mailings. Because the key is set in >HKEY_CURRENT_USER, system administrators may have set permissions such >that changes made are not saved, and thus the key will not persist. >In addition, multiple users on the same machine will likely each >trigger a separate mailout, and the probability of cross infection on >a common machine is very high. > >Since it is a macro virus, it will infect your NORMAL.DOT, and will >infect all documents thereafter. The macro within NORMAL.DOT is >"Document_Close()" so that any document that is worked on will be >infected when it is closed. When a document is infected the macro >inserted is "Document_Open()" so that the macro runs when the document >is opened. > >Note that *not* using Outlook does not protect you from the virus, it >only means that the 50 copies will not be automatically sent out. If >you use Word but not Outlook, you will still be infected, and may >still send out infected documents on your own. The virus also will >not invoke the mailout on Mac systems, but definitely can be stored >and resent from Macs. At this time I do not have reliable information >about whether it can reproduce on Macs (there is one report that it >does), but the likelihood is that it can. > >Vesselin Bontchev has noted that the virus never explicitly terminates >the Outlook program. It is possible that multiple copies may be >invoked, and may create memory problems. However, this has not been >confirmed, and is not probable given the "first time" flag that is >set. > >The message appears to come from the person just infected, of course, >since it really is sent from that machine. This means that when you >get an "infected" message it will probably appear to come from someone >you know and deal with. The subject line is "Important Message From: >[name of sender]" with the name taken from the registration settings >in Word. The test of the body states "Here is that document you asked >for ... don't show anyone else ;-)". Thus, the message is easily >identifiable: that subject line, the very brief message, and an >attached Word document (file with a .doc extension to the filename). >If you receive a message of this form *DO NOT OPEN THE DOCUMENT WITH >WORD!* If you do not have alternate means or competent virus >assistance, the best recourse is to delete the message, and >attachment, and to send a message to the sender alerting them to the >fact that they are, very likely, infected. Please note all the >specifics in this paragraph, and do not start a panic by sending >warnings to everyone who sends you any message with an attachment. > >However, please also note that, as with any Word macro virus, the >source code travels with the infection, and it will be very easy to >create modifications to Melissa. (The source code has already been >posted to one Web site.) We will, no doubt very soon, start seeing >many Melissa variants with different subjects and messages. There is >already one similar Excel macro virus, called "Papa." The virus >contains the text "Fred Cohen" and "all.net," leading one rather >ignorant reporter to assume that Fred was the author. Dr. Cohen was >the first person to do formal research into viral programs. > >There is a message that is displayed approximately one time in sixty. >The exact trigger is if the current system time minute field matches >the current system time day of the month field when the virus is run. >In that case, you will "Twenty-two points, plus triple-word-score, >plus fifty points for using all my letters. Game's over. I'm outta >here." typed into your document. (This is another reference to the >"Simpsons" episode referred to earlier.) > >One rather important point: the document passed is the active >document, not necessarily the original posted on alt.sex. So, for >example, if I am infected, and prepare some confidential information >for you in Word, and send you an attachment with the Word document, >containing sensitive information that neither you nor I want made >public (say, the fact that Bill Gates is a jerk for having designed >the technology this way), and you read it in Word, and you have >Outlook on your machine, then that document will be mailed out to the >top 50 people in your address book. > >Rather ironically, a clue to the identity of the perpetrator may have >come from the identification number embedding scheme recently admitted >by Microsoft as having been included with Office and Windows 98. > >A number of fixes for mail servers and mail filtering systems have >been devised very quickly. However, note that not all of these have >fully tested or debugged. One version that I saw would trap most of >the warning messages about Melissa. > >Note that any Word document can be infected, and that an infected user >may unintentionally send you an infected document. All Word >documents, and indeed all Office files, should be checked for >infection before you load them. > > >Information and antiviral updates (some URLs are wrapped): > >http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html > >http://www.ciac.org/ciac/bulletins/j-037.shtml > >ftp://ftp.complex.is/pub/macrdef2.zip > >http://www.complex.is/f-prot/f-prot.html > >http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdnn/stories/ >news/0,4586,2233030,00.html > >http://www.zdnet.com/zdnn/special/melissavirus.html > >http://www.symantec.com/techsupp/mailissa.html > >http://www.antivirus.com/vinfo/security/sa032699.htm > >http://www.avp.com/melissa/melissa.html > >http://www.microsoft.com/security/bulletins/ms99-002.asp > >http://www.sendmail.com/blockmelissa.html > >ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html > >http://www.innosoft.com/iii/pmdf/virus-word-emergency.html > >http://www.sophos.com/downloads/ide/index.html#melissa > >http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp > >http://www.pcworld.com/cgi-bin/pcwtoday?ID=10302 > >http://www.internetnews.com/bus-news/article/0,1087,3_89011,00.html > >http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/ > >http://www.pcworld.com/cgi-bin/pcwtoday?ID=10308 > > >====================== (quote inserted randomly by Pegasus Mailer) >[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > AV tutorial : http://victoria.tc.ca/techrev/mnvrcv.htm >http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade * Gunadarma Mailing List ----------------------------------------------- * Archives : http://milis-archives.gunadarma.ac.id * Berhenti : Kirim Email kosong ke [EMAIL PROTECTED] * Administrator: [EMAIL PROTECTED]
