Here's the story:
cert.org
Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: 7:00 PM GMT-5 Monday March 29, 1999
Systems Affected
Machines with Microsoft Word 97 or Word 2000
Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this macro virus.
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receiving reports of a
Microsoft Word 97 and Word 2000 macro virus which is propagating via email attachments. The
number and variety of reports we have received indicate that this is a widespread attack
affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in the form of a user opening an
infected Word document) is required for this virus to propagate. It is possible that under some
mailer configurations, a user might automatically open an infected document received in the
form of an email attachment. This macro virus is not known to exploit any new vulnerabilities.
While the primary transport mechanism of this virus is via email, any way of transferring files
can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa macro or W97M_Melissa
virus.
I. Description
The Melissa macro virus propagates in the form of an email message containing an infected
Word document as an attachment. The transport message has most frequently been reported
to contain the following Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two sections. The first
section of the message (Content-Type: text/plain) contains the following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to be a document
called "list.doc". This document contains references to pornographic web sites. As this macro
virus spreads we are likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is
immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to permit all macros to run
when documents are opened in the future. Therefore, the user will not be notified when the virus
is executed in the future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of
"... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the
format described above to the first 50 entries in every Microsoft Outlook MAPI address book
readable by the user executing the macro. Keep in mind that if any of these email addresses
are mailing lists, the message will be delivered to everyone on the mailing lists. In order to
successfully propagate, the affected machine must have Microsoft Outlook installed; however,
Outlook does not need to be the mailer used to read the message.
This virus can not send mail on systems running MacOS; however, the virus can be stored on
MacOS.
Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this
registry key causes the virus to only propagate once per session. If the registry key does not
persist through sessions, the virus will propagate as described above once per every session
when a user opens an infected document. If the registry key persists through sessions, the
virus will no longer attempt to propagate even if the affected user opens an infected document.
The macro then infects the Normal.dot template file. By default, all Word documents utilize the
Normal.dot template; thus, any newly created Word document will be infected. Because
unpatched versions of Word97 may trust macros in templates the virus may execute without
warning. For more information please see:
microsoft.com
Finally, if the minute of the hour matches the day of the month at this point, the macro inserts
into the current document the message "Twenty-two points, plus triple-word-score, plus fifty
points for using all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and look at the list of macros
in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA
(Visual Basic for Applications) code associated with the "document.open" method. You can
see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message came from someone who
is affected by this virus and they are not necessarily targeting you. We encourage you to
contact any users from which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would appreciate if you would report any
instance of this activity to us according to our Incident Reporting Guidelines document available
at:
cert.org
II. Impact
Users who open an infected document in Word97 or Word2000 with macros enabled will
infect the Normal.dot template causing any documents referencing this template to be
infected with this macro virus. If the infected document is opened by another user, the
document, including the macro virus, will propagate. Note that this could cause the
user's document to be propagated instead of the original document, and thereby leak
sensitive information.
Indirectly, this virus could cause a denial of service on mail servers. Many large sites
have reported performance problems with their mail servers as a result of the propagation
of this virus.
III. Solutions
Block messages with the signature of this
virus at your mail transfer agents or other
central point of control.
With Sendmail
Nick Christenson of sendmail.com provided information about configuring
sendmail to filter out messages that may contain the Melissa virus. This
information is available from the follow URL:
sendmail.com
With John Hardin's Procmail security filter package
More information is available from:
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
With Innosoft's PMDF
More information is available from:
innosoft.com
Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses. In order to detect and
clean current viruses you must keep your scanning tools up to date with the latest
definition files.
Computer Associates
Virus signature versions that detect and cure melissa virus.
Windows NT 3.x & 4.x
4.19d
Windows 95
4.19e
Windows 98
4.19e
Windows 3.1
4.19e
Netware 3.x, 4.x & 5.0
4.19e
Any of the above virus signatures files can be downloaded at:
support.cai.com
McAfee / Network Associates
vil.mcafee.com
avertlabs.com
Sophos
sophos.com
Symantec
symantec.com
Trend Micro
housecall.antivirus.com
Encourage users at your site to disable
macros in Microsoft Word
Notify all of your users of the problem and encourage them to disable macros in Word.
You may also wish to encourage users to disable macros in any product that contains a
macro language as this sort of problem is not limited to Microsoft Word.
In Word97 you can disable automatic macro execution (click Tools/Options/General
then turn on the 'Macro virus protection' checkbox). In Word2000 macro execution is
controlled by a security level variable similar to Internet Explorer (click on
Tools/Macro/Security and choose High, Medium, or Low). In that case, 'High' silently
ignores the VBA code, Medium prompts in the way Word97 does to let you enable or
disable the VBA code, and 'Low' just runs it.
Word2000 supports Authenticode on the VB code. In the 'High' setting you can specify
sites that you trust and code from those sites will run.
General protection from Word Macro Viruses
For information about macro viruses in general, we encourage you to review the
document "Free Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available
at.
nai.com
Additional Information
We have received a number of reports from people confusing the Happy99.exe Trojan
Horse with the Melissa virus. For more information about Happy99.exe please see:
cert.org
The Department of Energy's Computer Incident Advisory Capability (CIAC) has published
several documents that you may wish to examine. These are available at available at
ciac.org
ciac.llnl.gov
Microsoft Corporation has published information about this macro virus. Their document
is available from:
officeupdate.microsoft.com
Acknowledgements
We would like to thank Jimmy Kuo of Network Associates, Eric Allman and Nick Christenson
of sendmail.com, Dan Schrader of Trend Micro, Jason Garms and Karan Khanna of Microsoft,
Ned Freed of Innosoft, and John Hardin for providing information used in this advisory.
Additionally we would like to thank the many sites who reported this activity.
This document is available from:
cert.org.
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through
Friday; they are on call for emergencies during other hours, on U.S. holidays, and on
weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is
available from cert.org. If you prefer to use DES, please call the
CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
cert.org.
To be added to our mailing list for advisories and bulletins, send email to
cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your
message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in
cert.org.
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark
Office
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering
Institute is furnished on an "as is" basis. Carnegie Mellon University makes no
warranties of any kind, either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University does not make
any warranty of any kind with respect to freedom from patent, trademark, or copyright
infringement.
Revision History
March 28,
1999:
Changed the reference to the sendmail patches from ftp.cert.org to
www.sendmail.com. Added information for Innosoft, Sophos, and John
Hardin's procmail filter kit.
March 29,
1999:
Formatting changes
March 29,
1999:
Added information for Computer Associates
March 29,
1999:
Fixed a broken link
March 29,
1999:
Added a link to information at Microsoft, added a link to information
about Happy99.exe, added information about MacOS, and clairfied
that only MS Outlook MAPI address books are involved. |
