Archive of CERT general posting, CERT Advisory CA-99.04 - Melissa Macro Virus

27/03/99, CERT Advisory CA-99.04 - Melissa Macro Virus
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.04 - Melissa Macro Virus
From: CERT Advisory <cert-advisory@cert.org>
Date: Sat, 27 Mar 1999 07:10:49 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-04-Melissa-Macro-Virus

   Original issue date: Saturday March 27 1999
   Last Revised: Saturday March 27, 1999

Systems Affected

     * Machines with Microsoft Word 97 or Word 2000
     * Any mail handling system could experience performance problems or
       a denial of service as a result of the propagation of this macro
       virus.

Overview

   At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
   receiving reports of a Microsoft Word 97 and Word 2000 macro virus
   which is propagating via email attachments. The number and variety of
   reports we have received indicate that this is a widespread attack
   affecting a variety of sites.

   Our analysis of this macro virus indicates that human action (in the
   form of a user opening an infected Word document) is required for this
   virus to propagate. It is possible that under some mailer
   configurations, a user might automatically open an infected document
   received in the form of an email attachment. This macro virus is not
   known to exploit any new vulnerabilities. While the primary transport
   mechanism of this virus is via email, any way of transferring files
   can also propagate the virus.

   Anti-virus software vendors have called this macro virus the Melissa
   macro or W97M_Melissa virus.

I. Description

   The Melissa macro virus propagates in the form of an email message
   containing an infected Word document as an attachment. The transport
   message has most frequently been reported to contain the following
   Subject header

      Subject: Important Message From <name>

   Where <name> is the full name of the user sending the message.

   The body of the message is a multipart MIME message containing two
   sections. The first section of the message (Content-Type: text/plain)
   contains the following text.

      Here is that document you asked for ... don't show anyone else ;-)

   The next section (Content-Type: application/msword) was initially
   reported to be a document called "list.doc". This document contains
   references to pornographic web sites. As this macro virus spreads we
   are likely to see documents with other names. In fact, under certain
   conditions the virus may generate attachments with documents created
   by the victim.

   When a user opens an infected .doc file with Microsoft Word97 or
   Word2000, the macro virus is immediately executed if macros are
   enabled.

   Upon execution, the virus first lowers the macro security settings to
   permit all macros to run when documents are opened in the future.
   Therefore, the user will not be notified when the virus is executed in
   the future.

   The macro then checks to see if the registry key

   "HKEY_Current_User\Software\Microsoft\Office\Melissa?"

   has a value of "... by Kwyjibo". If that registry key does not exist
   or does not have a value of "... by Kwyjibo", the virus proceeds to
   propagate itself by sending an email message in the format described
   above to the first 50 entries in every MAPI address book readable by
   the user executing the macro. Keep in mind that if any of these email
   addresses are mailing lists, the message will be delivered to everyone
   on the mailing lists. In order to successfully propagate, the affected
   machine must have Microsoft Outlook installed; however, Outlook does
   not need to be the mailer used to read the message.

   Next, the macro virus sets the value of the registry key to "... by
   Kwyjibo". Setting this registry key causes the virus to only propagate
   once per session. If the registry key does not persist through
   sessions, the virus will propagate as described above once per every
   session when a user opens an infected document. If the registry key
   persists through sessions, the virus will no longer attempt to
   propagate even if the affected user opens an infected document.

   The macro then infects the Normal.dot template file. By default, all
   Word documents utilize the Normal.dot template; thus, any newly
   created Word document will be infected. Because unpatched versions of
   Word97 may trust macros in templates the virus may execute without
   warning. For more information please see:

       http://www.microsoft.com/security/bulletins/ms99-002.asp

   Finally, if the minute of the hour matches the day of the month at
   this point, the macro inserts into the current document the message
   "Twenty-two points, plus triple-word-score, plus fifty points for
   using all my letters. Game's over. I'm outta here."

   Note that if you open an infected document with macros disabled and
   look at the list of macros in this document, neither Word97 nor
   Word2000 list the macro. The code is actually VBA (Visual Basic for
   Applications) code associated with the "document.open" method. You can
   see the code by going into the Visual Basic editor.

   If you receive one of these messages, keep in mind that the message
   came from someone who is affected by this virus and they are not
   necessarily targeting you. We encourage you to contact any users from
   which you have received such a message. Also, we are interested in
   understanding the scope of this activity; therefore, we would
   appreciate if you would report any instance of this activity to us
   according to our Incident Reporting Guidelines document available at:

       http://www.cert.org/tech_tips/incident_reporting.html

II. Impact

     * Users who open an infected document in Word97 or Word2000 with
       macros enabled will infect the Normal.dot template causing any
       documents referencing this template to be infected with this macro
       virus. If the infected document is opened by another user, the
       document, including the macro virus, will propagate. Note that
       this could cause the user's document to be propagated instead of
       the original document, and thereby leak sensitive information.

     * Indirectly, this virus could cause a denial of service on mail
       servers. Many large sites have reported performance problems with
       their mail servers as a result of the propagation of this virus.

III. Solutions

     * Block messages with the signature of this virus at your mail transfer
       agents.

       With Sendmail

       Nick Christenson of sendmail.com provided information about
       configuring sendmail to filter out messages that may contain the
       Melissa virus. This information is available from the follow URL:
       ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
       elissa-filter.txt

     * Utilize virus scanners

       Most virus scanning tools will detect and clean macro viruses. In
       order to detect and clean current viruses you must keep your
       scanning tools up to date with the latest definition files.

          + McAfee / Network Associates

            http://vil.mcafee.com/vil/vm10120.asp
            http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp

          + Symantec

            http://www.symantec.com/avcenter/venc/data/mailissa.html

          + Trend Micro

            http://housecall.antivirus.com/smex_housecall/technotes.html

     * Encourage users at your site to disable macros in Microsoft Word

       Notify all of your users of the problem and encourage them to
       disable macros in Word. You may also wish to encourage users to
       disable macros in any product that contains a macro language as
       this sort of problem is not limited to Microsoft Word.

       In Word97 you can disable automatic macro execution (click
       Tools/Options/General then turn on the 'Macro virus protection'
       checkbox). In Word2000 macro execution is controlled by a security
       level variable similar to Internet Explorer (click on
       Tools/Macro/Security and choose High, Medium, or Low). In that
       case, 'High' silently ignores the VBA code, Medium prompts in the
       way Word97 does to let you enable or disable the VBA code, and
       'Low' just runs it.

       Word2000 supports Authenticode on the VB code. In the 'High'
       setting you can specify sites that you trust and code from those
       sites will run.

     * General protection from Word Macro Viruses

       For information about macro viruses in general, we encourage you
       to review the document "Free Macro AntiVirus Techniques" by Chengi
       Jimmy Kuo which is available at.

          http://www.nai.com/services/support/vr/free.asp

Acknowledgements

   We would like to thank Jimmy Kuo of Network Associates, Eric Allman
   and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and
   Jason Garms and Karan Khanna of Microsoft for providing information
   used in this advisory.

   Additionally we would like to thank the many sites who reported this
   activity.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site http://www.cert.org/.

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.

   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in http://www.cert.org/legal_stuff.html.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

Revision History

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
bZ6Ef5jPilA=
=aABH
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-99.03 - FTP-Buffer-Overflows
Next message sorted by date: CERT Advisory CA-99.05 - statd-automountd
Previous message sorted by thread: CERT Advisory CA-99.03 - FTP-Buffer-Overflows
Next message by thread: CERT Advisory CA-99.05 - statd-automountd
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000