From - Sun Mar 28 13:51:53 1999 Path: reader1.news.rcn.net!feed1.news.rcn.net!rcn!netnews.com!newshub.northeast.verio.net!newsserver.jvnc.net!192.65.202.1!dsinc!nntp.upenn.edu!Lehigh.EDU!news From: "Bill Verzal" Newsgroups: comp.virus Subject: Fw: CERT Advisory CA-99.04 - Melissa Macro Virus (WORD) Date: 28 Mar 1999 12:48:25 -0000 Lines: 286 Sender: news@Lehigh.EDU Approved: virus-l@Lehigh.EDU Message-ID: <0003.E10REkq-0007UT-0A@finch-post-10.mail.demon.net> NNTP-Posting-Host: fidoii.cc.lehigh.edu X-Date: Sat, 27 Mar 1999 08:01:15 -0600 X-Digest: Volume 12 : Issue 9 Xref: reader1.news.rcn.net comp.virus:30352 Here is a virus alert from CERT. Regards, Bill Verzal [Moderator's note: I would probably not normally re-post this, but given the extent of distribution of Melissa and the likely Email disruption and web-jam "Western Monday morning", having this in people's mailboxes before then might be a good thing. NCF] - ---- Original Message ----- From: CERT Advisory To: Sent: Saturday, March 27, 1999 6:09 AM Subject: CERT Advisory CA-99.04 - Melissa Macro Virus > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-99-04-Melissa-Macro-Virus > > Original issue date: Saturday March 27 1999 > Last Revised: Saturday March 27, 1999 > > Systems Affected > > * Machines with Microsoft Word 97 or Word 2000 > * Any mail handling system could experience performance problems or > a denial of service as a result of the propagation of this macro > virus. > > Overview > > At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began > receiving reports of a Microsoft Word 97 and Word 2000 macro virus > which is propagating via email attachments. The number and variety of > reports we have received indicate that this is a widespread attack > affecting a variety of sites. > > Our analysis of this macro virus indicates that human action (in the > form of a user opening an infected Word document) is required for this > virus to propagate. It is possible that under some mailer > configurations, a user might automatically open an infected document > received in the form of an email attachment. This macro virus is not > known to exploit any new vulnerabilities. While the primary transport > mechanism of this virus is via email, any way of transferring files > can also propagate the virus. > > Anti-virus software vendors have called this macro virus the Melissa > macro or W97M_Melissa virus. > > I. Description > > The Melissa macro virus propagates in the form of an email message > containing an infected Word document as an attachment. The transport > message has most frequently been reported to contain the following > Subject header > > Subject: Important Message From > > Where is the full name of the user sending the message. > > The body of the message is a multipart MIME message containing two > sections. The first section of the message (Content-Type: text/plain) > contains the following text. > > Here is that document you asked for ... don't show anyone else ;-) > > The next section (Content-Type: application/msword) was initially > reported to be a document called "list.doc". This document contains > references to pornographic web sites. As this macro virus spreads we > are likely to see documents with other names. In fact, under certain > conditions the virus may generate attachments with documents created > by the victim. > > When a user opens an infected .doc file with Microsoft Word97 or > Word2000, the macro virus is immediately executed if macros are > enabled. > > Upon execution, the virus first lowers the macro security settings to > permit all macros to run when documents are opened in the future. > Therefore, the user will not be notified when the virus is executed in > the future. > > The macro then checks to see if the registry key > > "HKEY_Current_User\Software\Microsoft\Office\Melissa?" > > has a value of "... by Kwyjibo". If that registry key does not exist > or does not have a value of "... by Kwyjibo", the virus proceeds to > propagate itself by sending an email message in the format described > above to the first 50 entries in every MAPI address book readable by > the user executing the macro. Keep in mind that if any of these email > addresses are mailing lists, the message will be delivered to everyone > on the mailing lists. In order to successfully propagate, the affected > machine must have Microsoft Outlook installed; however, Outlook does > not need to be the mailer used to read the message. > > Next, the macro virus sets the value of the registry key to "... by > Kwyjibo". Setting this registry key causes the virus to only propagate > once per session. If the registry key does not persist through > sessions, the virus will propagate as described above once per every > session when a user opens an infected document. If the registry key > persists through sessions, the virus will no longer attempt to > propagate even if the affected user opens an infected document. > > The macro then infects the Normal.dot template file. By default, all > Word documents utilize the Normal.dot template; thus, any newly > created Word document will be infected. Because unpatched versions of > Word97 may trust macros in templates the virus may execute without > warning. For more information please see: > > http://www.microsoft.com/security/bulletins/ms99-002.asp > > Finally, if the minute of the hour matches the day of the month at > this point, the macro inserts into the current document the message > "Twenty-two points, plus triple-word-score, plus fifty points for > using all my letters. Game's over. I'm outta here." > > Note that if you open an infected document with macros disabled and > look at the list of macros in this document, neither Word97 nor > Word2000 list the macro. The code is actually VBA (Visual Basic for > Applications) code associated with the "document.open" method. You can > see the code by going into the Visual Basic editor. > > If you receive one of these messages, keep in mind that the message > came from someone who is affected by this virus and they are not > necessarily targeting you. We encourage you to contact any users from > which you have received such a message. Also, we are interested in > understanding the scope of this activity; therefore, we would > appreciate if you would report any instance of this activity to us > according to our Incident Reporting Guidelines document available at: > > http://www.cert.org/tech_tips/incident_reporting.html > > II. Impact > > * Users who open an infected document in Word97 or Word2000 with > macros enabled will infect the Normal.dot template causing any > documents referencing this template to be infected with this macro > virus. If the infected document is opened by another user, the > document, including the macro virus, will propagate. Note that > this could cause the user's document to be propagated instead of > the original document, and thereby leak sensitive information. > > * Indirectly, this virus could cause a denial of service on mail > servers. Many large sites have reported performance problems with > their mail servers as a result of the propagation of this virus. > > III. Solutions > > * Block messages with the signature of this virus at your mail transfer > agents. > > With Sendmail > > Nick Christenson of sendmail.com provided information about > configuring sendmail to filter out messages that may contain the > Melissa virus. This information is available from the follow URL: > ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m > elissa-filter.txt > > * Utilize virus scanners > > Most virus scanning tools will detect and clean macro viruses. In > order to detect and clean current viruses you must keep your > scanning tools up to date with the latest definition files. > > + McAfee / Network Associates > > http://vil.mcafee.com/vil/vm10120.asp > http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp > > + Symantec > > http://www.symantec.com/avcenter/venc/data/mailissa.html > > + Trend Micro > > http://housecall.antivirus.com/smex_housecall/technotes.html > > * Encourage users at your site to disable macros in Microsoft Word > > Notify all of your users of the problem and encourage them to > disable macros in Word. You may also wish to encourage users to > disable macros in any product that contains a macro language as > this sort of problem is not limited to Microsoft Word. > > In Word97 you can disable automatic macro execution (click > Tools/Options/General then turn on the 'Macro virus protection' > checkbox). In Word2000 macro execution is controlled by a security > level variable similar to Internet Explorer (click on > Tools/Macro/Security and choose High, Medium, or Low). In that > case, 'High' silently ignores the VBA code, Medium prompts in the > way Word97 does to let you enable or disable the VBA code, and > 'Low' just runs it. > > Word2000 supports Authenticode on the VB code. In the 'High' > setting you can specify sites that you trust and code from those > sites will run. > > * General protection from Word Macro Viruses > > For information about macro viruses in general, we encourage you > to review the document "Free Macro AntiVirus Techniques" by Chengi > Jimmy Kuo which is available at. > > http://www.nai.com/services/support/vr/free.asp > > Acknowledgements > > We would like to thank Jimmy Kuo of Network Associates, Eric Allman > and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and > Jason Garms and Karan Khanna of Microsoft for providing information > used in this advisory. > > Additionally we would like to thank the many sites who reported this > activity. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html. > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from http://www.cert.org/CERT_PGP.key. > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site http://www.cert.org/. > > To be added to our mailing list for advisories and bulletins, send > email to cert-advisory-request@cert.org and include SUBSCRIBE > your-email-address in the subject of your message. > > Copyright 1999 Carnegie Mellon University. > Conditions for use, disclaimers, and sponsorship information can be > found in http://www.cert.org/legal_stuff.html. > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > ______________________________________________________________________ > > Revision History > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE > mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5 > jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx > bZ6Ef5jPilA= > =aABH > -----END PGP SIGNATURE-----