[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CERT Advisory CA-99.04 - Melissa Macro Virus (fwd)
I had someone infected with the virus send me the attachment before the
advisory came out. Luckily it was someone I didn't know or trust, and I
was using pine at the time. :)
Its not just MS-Word you have to have for it to spread... you also have
to be an Outlook (ick) user, for it to read out your address book
entries and propogate.
-Bill K.
Allan Carhart wrote:
>
> Damn...It sounds like someone took the concept behind the "Good Times"
> virus hoax, and made it a reality. (sorta..)
>
> Although the % of users on this list who actually use MS-Word is probably low,
> I figure there's a significant # of system administrators, etc. So you may
> find this interesting.
>
> --Allan
> ------------------------------------------------------------
>
> ---------- Forwarded message ----------
> Date: Sat, 27 Mar 1999 07:05:13 -0500
> From: CERT Advisory <cert-cert.advisory@org>
> Reply-To: cert-advisory-cert.request@org
> To: cert-coal.advisory@cert.org
> Subject: CERT Advisory CA-99.04 - Melissa Macro Virus
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-99-04-Melissa-Macro-Virus
>
> Original issue date: Saturday March 27 1999
> Last Revised: Saturday March 27, 1999
>
> Systems Affected
>
> * Machines with Microsoft Word 97 or Word 2000
> * Any mail handling system could experience performance problems or
> a denial of service as a result of the propagation of this macro
> virus.
>
> Overview
>
> At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
> receiving reports of a Microsoft Word 97 and Word 2000 macro virus
> which is propagating via email attachments. The number and variety of
> reports we have received indicate that this is a widespread attack
> affecting a variety of sites.
>
> Our analysis of this macro virus indicates that human action (in the
> form of a user opening an infected Word document) is required for this
> virus to propagate. It is possible that under some mailer
> configurations, a user might automatically open an infected document
> received in the form of an email attachment. This macro virus is not
> known to exploit any new vulnerabilities. While the primary transport
> mechanism of this virus is via email, any way of transferring files
> can also propagate the virus.
>
> Anti-virus software vendors have called this macro virus the Melissa
> macro or W97M_Melissa virus.
>
> I. Description
>
> The Melissa macro virus propagates in the form of an email message
> containing an infected Word document as an attachment. The transport
> message has most frequently been reported to contain the following
> Subject header
>
> Subject: Important Message From <name>
>
> Where <name> is the full name of the user sending the message.
>
> The body of the message is a multipart MIME message containing two
> sections. The first section of the message (Content-Type: text/plain)
> contains the following text.
>
> Here is that document you asked for ... don't show anyone else ;-)
>
> The next section (Content-Type: application/msword) was initially
> reported to be a document called "list.doc". This document contains
> references to pornographic web sites. As this macro virus spreads we
> are likely to see documents with other names. In fact, under certain
> conditions the virus may generate attachments with documents created
> by the victim.
>
> When a user opens an infected .doc file with Microsoft Word97 or
> Word2000, the macro virus is immediately executed if macros are
> enabled.
>
> Upon execution, the virus first lowers the macro security settings to
> permit all macros to run when documents are opened in the future.
> Therefore, the user will not be notified when the virus is executed in
> the future.
>
> The macro then checks to see if the registry key
>
> "HKEY_Current_User\Software\Microsoft\Office\Melissa?"
>
> has a value of "... by Kwyjibo". If that registry key does not exist
> or does not have a value of "... by Kwyjibo", the virus proceeds to
> propagate itself by sending an email message in the format described
> above to the first 50 entries in every MAPI address book readable by
> the user executing the macro. Keep in mind that if any of these email
> addresses are mailing lists, the message will be delivered to everyone
> on the mailing lists. In order to successfully propagate, the affected
> machine must have Microsoft Outlook installed; however, Outlook does
> not need to be the mailer used to read the message.
>
> Next, the macro virus sets the value of the registry key to "... by
> Kwyjibo". Setting this registry key causes the virus to only propagate
> once per session. If the registry key does not persist through
> sessions, the virus will propagate as described above once per every
> session when a user opens an infected document. If the registry key
> persists through sessions, the virus will no longer attempt to
> propagate even if the affected user opens an infected document.
>
> The macro then infects the Normal.dot template file. By default, all
> Word documents utilize the Normal.dot template; thus, any newly
> created Word document will be infected. Because unpatched versions of
> Word97 may trust macros in templates the virus may execute without
> warning. For more information please see:
>
> http://www.microsoft.com/security/bulletins/ms99-002.asp
>
> Finally, if the minute of the hour matches the day of the month at
> this point, the macro inserts into the current document the message
> "Twenty-two points, plus triple-word-score, plus fifty points for
> using all my letters. Game's over. I'm outta here."
>
> Note that if you open an infected document with macros disabled and
> look at the list of macros in this document, neither Word97 nor
> Word2000 list the macro. The code is actually VBA (Visual Basic for
> Applications) code associated with the "document.open" method. You can
> see the code by going into the Visual Basic editor.
>
> If you receive one of these messages, keep in mind that the message
> came from someone who is affected by this virus and they are not
> necessarily targeting you. We encourage you to contact any users from
> which you have received such a message. Also, we are interested in
> understanding the scope of this activity; therefore, we would
> appreciate if you would report any instance of this activity to us
> according to our Incident Reporting Guidelines document available at:
>
> http://www.cert.org/tech_tips/incident_reporting.html
>
> II. Impact
>
> * Users who open an infected document in Word97 or Word2000 with
> macros enabled will infect the Normal.dot template causing any
> documents referencing this template to be infected with this macro
> virus. If the infected document is opened by another user, the
> document, including the macro virus, will propagate. Note that
> this could cause the user's document to be propagated instead of
> the original document, and thereby leak sensitive information.
>
> * Indirectly, this virus could cause a denial of service on mail
> servers. Many large sites have reported performance problems with
> their mail servers as a result of the propagation of this virus.
>
> III. Solutions
>
> * Block messages with the signature of this virus at your mail transfer
> agents.
>
> With Sendmail
>
> Nick Christenson of sendmail.com provided information about
> configuring sendmail to filter out messages that may contain the
> Melissa virus. This information is available from the follow URL:
> ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
> elissa-filter.txt
>
> * Utilize virus scanners
>
> Most virus scanning tools will detect and clean macro viruses. In
> order to detect and clean current viruses you must keep your
> scanning tools up to date with the latest definition files.
>
> + McAfee / Network Associates
>
> http://vil.mcafee.com/vil/vm10120.asp
> http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
>
> + Symantec
>
> http://www.symantec.com/avcenter/venc/data/mailissa.html
>
> + Trend Micro
>
> http://housecall.antivirus.com/smex_housecall/technotes.html
>
> * Encourage users at your site to disable macros in Microsoft Word
>
> Notify all of your users of the problem and encourage them to
> disable macros in Word. You may also wish to encourage users to
> disable macros in any product that contains a macro language as
> this sort of problem is not limited to Microsoft Word.
>
> In Word97 you can disable automatic macro execution (click
> Tools/Options/General then turn on the 'Macro virus protection'
> checkbox). In Word2000 macro execution is controlled by a security
> level variable similar to Internet Explorer (click on
> Tools/Macro/Security and choose High, Medium, or Low). In that
> case, 'High' silently ignores the VBA code, Medium prompts in the
> way Word97 does to let you enable or disable the VBA code, and
> 'Low' just runs it.
>
> Word2000 supports Authenticode on the VB code. In the 'High'
> setting you can specify sites that you trust and code from those
> sites will run.
>
> * General protection from Word Macro Viruses
>
> For information about macro viruses in general, we encourage you
> to review the document "Free Macro AntiVirus Techniques" by Chengi
> Jimmy Kuo which is available at.
>
> http://www.nai.com/services/support/vr/free.asp
>
> Acknowledgements
>
> We would like to thank Jimmy Kuo of Network Associates, Eric Allman
> and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and
> Jason Garms and Karan Khanna of Microsoft for providing information
> used in this advisory.
>
> Additionally we would like to thank the many sites who reported this
> activity.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert.cert@org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site http://www.cert.org/.
>
> To be added to our mailing list for advisories and bulletins, send
> email to cert-advisory-cert.request@org and include SUBSCRIBE
> your-email-address in the subject of your message.
>
> Copyright 1999 Carnegie Mellon University.
> Conditions for use, disclaimers, and sponsorship information can be
> found in http://www.cert.org/legal_stuff.html.
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> ______________________________________________________________________
>
> Revision History
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
> mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
> jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
> bZ6Ef5jPilA=
> =aABH
> -----END PGP SIGNATURE-----