From: Alister Waller (Awaller at domain Staffmail.wit.ie)
Date: Mon 29 Mar 1999 - 13:42:47 IST
thought this might interest someone.
alister
<HEANET-SECURITY at domain listserv.heanet.ie>
From: Dave Wilson <davew at domain HEA.NET>
Subject: [cert-advisory at domain cert.org: CERT Advisory CA-99.04 -
Melissa
Macro
Virus]
To: HEANET-SECURITY at domain listserv.heanet.ie
Hi all,
This CERT advisory came through over the weekend about the
Melissa
Microsoft Word virus. This has been widely reported in the news,
but
there are a number of misconceptions about it which are laid to rest
below. The virus is nothing new or surprising but is more unpleasant
than most and can go so far as to bring down a mail server with
traffic.
CERT offer four different fixes: it should be noted that the Sendmail
fix
only checks for mails with a subject line beginning "Important
message
for" so this might not be suitable for all.
Any questions or comments, mail me|list.
Thanks,
Dave
----- Forwarded message from CERT Advisory <cert-
advisory at domain cert.org> -----
Date: Sat, 27 Mar 1999 07:08:18 -0500
From: CERT Advisory <cert-advisory at domain cert.org>
To: cert-advisory at domain coal.cert.org
Subject: CERT Advisory CA-99.04 - Melissa Macro Virus
Reply-To: cert-advisory-request at domain cert.org
Organization: CERT(sm) Coordination Center - +1 412-268-7090
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-04-Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999
Systems Affected
* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance
problems or
a denial of service as a result of the propagation of this macro
virus.
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we
began
receiving reports of a Microsoft Word 97 and Word 2000 macro
virus
which is propagating via email attachments. The number and
variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in
the
form of a user opening an infected Word document) is required
for this
virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected
document
received in the form of an email attachment. This macro virus is
not
known to exploit any new vulnerabilities. While the primary
transport
mechanism of this virus is via email, any way of transferring files
can
also propagate the virus.
Anti-virus software vendors have called this macro virus the
Melissa
macro or W97M_Melissa virus.
I. Description
The Melissa macro virus propagates in the form of an email
message
containing an infected Word document as an attachment. The
transport
message has most frequently been reported to contain the
following
Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message
containing two
sections. The first section of the message (Content-Type:
text/plain)
contains the following text.
Here is that document you asked for ... don't show anyone
else ;-)
The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document
contains
references to pornographic web sites. As this macro virus
spreads we
are likely to see documents with other names. In fact, under
certain
conditions the virus may generate attachments with documents
created by
the victim.
When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are
enabled.
Upon execution, the virus first lowers the macro security settings
to
permit all macros to run when documents are opened in the
future.
Therefore, the user will not be notified when the virus is executed
in
the future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist
or
does not have a value of "... by Kwyjibo", the virus proceeds to
propagate itself by sending an email message in the format
described
above to the first 50 entries in every MAPI address book readable
by
the user executing the macro. Keep in mind that if any of these
email
addresses are mailing lists, the message will be delivered to
everyone
on the mailing lists. In order to successfully propagate, the
affected
machine must have Microsoft Outlook installed; however,
Outlook does
not need to be the mailer used to read the message.
Next, the macro virus sets the value of the registry key to "... by
Kwyjibo". Setting this registry key causes the virus to only
propagate
once per session. If the registry key does not persist through
sessions, the virus will propagate as described above once per
every
session when a user opens an infected document. If the registry
key
persists through sessions, the virus will no longer attempt to
propagate even if the affected user opens an infected document.
The macro then infects the Normal.dot template file. By default,
all
Word documents utilize the Normal.dot template; thus, any
newly created
Word document will be infected. Because unpatched versions of
Word97
may trust macros in templates the virus may execute without
warning.
For more information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Finally, if the minute of the hour matches the day of the month at
this
point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using
all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled
and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual
Basic for
Applications) code associated with the "document.open"
method. You can
see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the
message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any
users from
which you have received such a message. Also, we are
interested in
understanding the scope of this activity; therefore, we would
appreciate if you would report any instance of this activity to us
according to our Incident Reporting Guidelines document
available at:
http://www.cert.org/tech_tips/incident_reporting.html
II. Impact
* Users who open an infected document in Word97 or
Word2000 with
macros enabled will infect the Normal.dot template causing
any
documents referencing this template to be infected with this
macro
virus. If the infected document is opened by another user, the
document, including the macro virus, will propagate. Note that
this
could cause the user's document to be propagated instead of
the
original document, and thereby leak sensitive information.
* Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems
with
their mail servers as a result of the propagation of this virus.
III. Solutions
* Block messages with the signature of this virus at your mail
transfer
agents.
With Sendmail
Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain
the
Melissa virus. This information is available from the follow URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-
sendmail-m
elissa-filter.txt
* Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses.
In
order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.
+ McAfee / Network Associates
http://vil.mcafee.com/vil/vm10120.asp
http://www.avertlabs.com/public/datafiles/valerts/vinfo/meliss
a.asp
+ Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html
+ Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
* Encourage users at your site to disable macros in Microsoft
Word
Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage
users to
disable macros in any product that contains a macro language
as
this sort of problem is not limited to Microsoft Word.
In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a
security
level variable similar to Internet Explorer (click on
Tools/Macro/Security and choose High, Medium, or Low). In
that
case, 'High' silently ignores the VBA code, Medium prompts
in the
way Word97 does to let you enable or disable the VBA code,
and
'Low' just runs it.
Word2000 supports Authenticode on the VB code. In the 'High'
setting you can specify sites that you trust and code from
those
sites will run.
* General protection from Word Macro Viruses
For information about macro viruses in general, we encourage
you to
review the document "Free Macro AntiVirus Techniques" by
Chengi
Jimmy Kuo which is available at.
http://www.nai.com/services/support/vr/free.asp
Acknowledgements
We would like to thank Jimmy Kuo of Network Associates, Eric
Allman and
Nick Christenson of sendmail.com, Dan Schrader of Trend Micro,
and
Jason Garms and Karan Khanna of Microsoft for providing
information
used in this advisory.
Additionally we would like to thank the many sites who reported
this
activity.
________________________________________________________
______________
This document is available from:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-
Virus.html.
________________________________________________________
______________
CERT/CC Contact Information
Email: cert at domain cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4)
Monday through Friday; they are on call for emergencies during
other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available
from our
web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request at domain cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can
be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the
U.S.
Patent and Trademark Office
________________________________________________________
______________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon
University makes no warranties of any kind, either expressed or
implied
as to any matter including, but not limited to, warranty of fitness
for
a particular purpose or merchantability, exclusivity or results
obtained from use of the material. Carnegie Mellon University
does not
make any warranty of any kind with respect to freedom from
patent,
trademark, or copyright infringement.
________________________________________________________
______________
Revision History
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIO
dmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/
s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6
wajOmBx
bZ6Ef5jPilA=
=aABH
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:06 GMT