-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Jan Meijer Index : S-99-12 Distribution : World Page : 1 Classification: External Version: 1 Subject : Melissa-Macro-Virus Date : 27-Mar-99 =============================================================================== By courtesy of The U.S. Department of Energy Computer Incident Advisory Capability we received information on a vulnerability in Windows 95 or Windows NT running Microsoft Word 97 (version 8) or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the Macintosh is probably not vulnerable because the virus uses the Windows registry, but that has not been verified yet. Outlook Express and other mail readers are not vulnerable. . A new Word 97 macro virus named W97M.Malissa has been detected at multiple DOE sites and is known to be spreading widely. The virus uses Microsoft Outlook to e-mail the infected document to the first 50 people from each of your Outlook address books. CERT-NL recommends: Use an updated antivirus product. Some vendors have a solution available but in many cases you must go to the vendors web site to get it. Do not depend on the automatic or live update feature of an antivirus package to get the detector for this virus. Additional precautions are to password protect the normal.dot file, turn on macro virus detection in Word, and DO NOT OPEN attachments to mail messages with the subject "Important Message From " and the contents "Here is that document you asked for ... don't show anyone else ;-)" without checking with the sender. Alert your computer security officers if you receive such messages. ============================================================================== __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN W97M.Melissa Word Macro Virus March 27, 1999 17:00 GMT Number J-037 _____________________________________________________________________________ PROBLEM: A new Word 97 macro virus named W97M.Malissa has been detected at multiple DOE sites and is known to be spreading widely. The virus uses Microsoft Outlook to e-mail the infected document to the first 50 people from each of your Outlook address books. PLATFORM: Windows 95 or Windows NT running Microsoft Word 97 (version 8) or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the Macintosh is probably not vulnerable because the virus uses the Windows registry, but that has not been verified yet. Outlook Express and other mail readers are not vulnerable. DAMAGE: It overwrites the first macro in open documents and in the normal.dot template with the macro virus code. It turns off macro detection in Word. It sends copies of the infected document to up to 50 people from each of your Outlook address books. SOLUTION: Use an updated antivirus product. Some vendors have a solution available but in many cases you must go to the vendors web site to get it. Do not depend on the automatic or live update feature of an antivirus package to get the detector for this virus. Additional precautions are to password protect the normal.dot file, turn on macro virus detection in Word, and DO NOT OPEN attachments to mail messages with the subject "Important Message From " and the contents "Here is that document you asked for ... don't show anyone else ;-)" without checking with the sender. Alert your computer security officers if you receive such messages. _____________________________________________________________________________ VULNERABILITY Risk of infection is high. This virus is spreading widely ASSESSMENT: within and without of the DOE complex. The risk of damage to your system is low because most users do not have macros in files and would be alerted by Word's macro detector. The risk of lostproductivity and lost mail messages is high as mail servers may have to be shut down and purged of infected mail messages. _____________________________________________________________________________ CIAC has critical information about the W97M.Melissa Word Macro Virus The W97M.Malissa Word macro virus has been seen within the DOE complex. This macro virus attaches to Word objects in Word 97 and Word 2000. Because of this method of infection, this virus will not infect older versions of Microsoft Word. When an infected document is opened, the virus checks to see if Word 97 or Word 2000 is installed and then disables the Macro toolbar. It then disables the following Word options: Confirm conversions at open. Macro virus protection. Prompt to save Normal template. Disabling these options makes it difficult to detect the virus in action. The virus next checks the value of the private registry string: HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? If that string is not equal to "... by Kwyjibo" the virus sends copies of the infected document to the first 50 people in each of your Outlook address books and then sets the registry key so it does not do this again. It sends copies of the infected document to others by opening a connection to Microsoft Outlook and creating an e-mail message with the subject: Important Message From where is replaced with the current Word user's name (Tools, Options command, User Information tab). The body of the message contains the following text: Here is that document you asked for ... don't show anyone else ;-) The virus then inserts the first 50 users from your Outlook address book, attaches the infected document and sends the message. It does this for however many address books you have defined in Outlook. After sending itself to the people in your address books, the virus then checks to see if it is running on a document or the Normal.dot template. If it is running on a document, it infects the Normal.dot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document you work on as soon as you close them. If you share these documents with anyone, you will spread the virus. Finally, if the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document. Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. Detecting The Virus =================== Several antivirus vendors have a detection and cleaning capability for this virus; however, you must go to the vendors web site to get the scanner updates. Scanners with automatic or live update features do not yet get the update required to find and clean this virus. While we expect the detection strings to be in the automatic updates in the near future, for the next week or two you should get the scanner directly from your vendor's web site. We have verified that the Norton Antivirus updater obtained from the Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html) does detect the virus, the current live update does not. We have reliable information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html) also have detection capabilities. If you receive an e-mail with the following subject and body, DO NOT OPEN the attachment. Subject: Important Message From Body: Here is that document you asked for ... don't show anyone else ;-) Make sure the sender is someone you know and then ask them if they really sent you the attachment before opening it. If they did not send it, do not open the attachment and contact your computer security manager. The most common name for the attached file is list1.doc but that name can change. If the following text appears in a document without your putting it there, your normal.dot template is infected and your Word program is infecting all documents when you close them. Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. Another option to see if a system has been infected is to use Regedit and search for the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? If that key exists and has the value "... by Kwyjibo" the system has been infected at some time. Note that the infection may have been removed without deleting the key. This key can be deleted, but does no damage if left alone. Protecting A System =================== The first step in protecting a system is to have a current antivirus package running on your system. Be sure to update it at least once a month. Many of the newer antivirus scanners have the capability to automatically update themselves every couple of weeks. To protect Word from this and other Word macro viruses, first insure that Word has been patched with the Word 97 Template vulnerability patch (http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the normal.dot template file should be password protected; and third, the following Word 97 options should be enabled. Confirm conversions at open. Macro virus protection. Prompt to save Normal template. Password Protecting The Normal.dot File - - - - - - --------------------------------------- To password protect the Normal.dot file in Word 97, perform these steps: 1. Start Word. 2. Choose the Tools, Macro, Visual Basic Editor command. 3. In the Project window of the Visual Basic Editor, click on Normal. 4. Choose the Tools, Normal Properties command, Protection tab. 5. Check the Lock Project for Viewing check box and type in a password twice. 6. Close the dialog box, close the Visual Basic editor. 7. Quit Word. The next time you start Word, the normal.dot template will be protected. WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it. Turning On Macro Virus Protection and Other Options - - --------------------------------------------------- Some simple macro virus protection is built into Word 97. It does not detect specific macro viruses but only informs you if macros exist on a document you are trying to open. Macros detected by Macro Virus Protection are not necessarily a virus. However, if you are alerted to a macro attached to a document you should be extremely wary because most people do not have macros attached to their documents. Other options to set are: Confirm conversions at open. This makes Word display a dialog box if it is converting a document from one format to another. Prompt to save Normal template. This makes Word display a dialog box asking you to confirm changes to the Normal.dot template. Most macro viruses hide in Normal.dot so this lets you know that there has been a change that you may want to prevent. Changes also occur when you change the default font or one of the built-in styles. To turn on macro virus protection and these other options, perform these steps: 1. Start Word. 2. Choose the Tools, Options command, General tab. 3. Check the Macro Virus Protection check box. 4. Check the Confirm conversions at open check box. 5. Choose the Save tab. 6. Check the Prompt to save Normal template check box. 4. Close the dialog box. Whenever you open a document that contains macros, the macro virus protection opens a dialog box telling you that there are macros in the document and giving you the option to: Open the document with the macros enabled, open the document without the macros, or cancel the open operation. You should only open a document with macros enabled if you are expecting there to be macros on that document and you know what they are supposed to do. Detecting the Virus With a Mail Server ====================================== If a site has been infected you may need to block the virus infected mail messages with your mail servers. The following filter was written by Scott Hutton (Lead Security Engineer, Information Technology Security Office) of Indiana University. As Scott mentions, this filter blocks all messages with the text "Important Message From" in the subject line, which may block messages that do not contain the virus. Use this filter at your own discretion. ===== start included text ====== We blocked this on our mail relays through the following additions to the sendmail.cf: HSubject: $>CheckSubject SCheckSubject RImportant Message From $+ $#error $: 553 Subject Error R$* $@ OK Don't forget that there are tabs before $#error and $@ OK. This will block any message where the subject begins with "Important Message >From ...", which may be too rash of an action at your site. ===== end included text ====== Another filter was obtained by the CERT team from Nick Christenson of sendmail.com ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa- filter.txt _____________________________________________________________________________ Thanks to Scott Hutton for the preliminary analysis and for a sendmail filter. Thanks to CERT and Nick Christenson of sendmail.com for another sendmail filter. _____________________________________________________________________________ ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IpzSYjBqwfc9jEQJEqwCguJDEE7k6RUpTSCIvfbeyWIvs6SMAn3JR Ip+9TBdMt9oxiItLt/1fZXKQ =2ZCm -----END PGP SIGNATURE-----