melissa.txt

`http://www.melissavirus.com/  
  
  
-----------------------------------------------------------------  
  
Date: Mon, 5 Apr 1999 05:01:14 -0700  
From: [email protected]  
Subject: Information Security Educators Mailing List 1999-03-30  
  
<pre>---------------------------------------------  
>From: "Rob Slade, doting grandpa of Ryan and Trevor" <[email protected]>  
Date: Tue, 30 Mar 1999 16:51:23 -0800  
  
The Melissa macro virus  
A report prepared by Robert M. Slade  
  
  
The following is an attempt to bring together the information about  
the Melissa virus. It is taken from the most reliable available  
sources. Additional sites have been listed at the end of the article.   
I have not added a copyright line to this message in order to allow it  
to be used as needed. I will be posting the latest updated version of  
this article at http://sun.soci.niu.edu/~rslade/melissa.txt and  
http://victoria.tc.ca/techrev/melissa.txt.  
  
  
The virus, generally referred to as W97M.Melissa.A (with some  
variations: Symantec, in a rather strained effort to be cute, seems to  
be calling it "Mailissa"), is a MS Word macro virus. This means that,  
if you don't use Word, you are safe. Completely safe. (Except for  
being dependent upon other people who might slow their/your mail  
server down. More on that later.) If you need to look at MS Word  
documents, there is a document viewer available (free, as it happens)  
>from Microsoft. This viewer will not execute macros, so it is safe  
>from infection.  
  
In the messages about Melissa, there have been many references to the  
mythical and non-existent "Good Times" virus. Note that simply  
reading the text of a message still cannot infect you. However, note  
also that many mailers, in the name of convenience, are becoming more  
and more automated, and much of this automation concerns running  
attached files for you. As Padgett Peterson, author of one of the  
best macro virus protection tools, has stated, "For years we have been  
saying you could not get a virus just by "opening E-Mail. That bug is  
being fixed."  
  
Melissa does not carry any specifically damaging payload. If the  
message is triggered there will be text added to the active document.   
The mailout function can cause a large number of messages to be  
generated very quickly, and this has caused the shutdown of a number  
of corporate mail servers.  
  
If you have Word set with macros disabled, then the virus will not  
active. However, relying on this protection is a very dangerous  
proposition. Previous macro viruses have also killed macro protection  
in Word, and this one does as well.  
  
The name "Melissa" comes from the class module that contains the  
virus. The name is also used in the registry flag set by the virus.  
  
The virus is spread, of course, by infected Word documents. What has  
made it the "bug du jour" is that it spreads *itself* via email. We  
have known about viruses being spread as attachments to email for a  
long time, and have been warning people not to execute attachments (or  
read Word documents sent as attachments) if you don't know where they  
came from. Happy99 is a good example: it has spread very widely in  
the past month by sending itself out as an email attachment whenever  
it infects a system.  
  
Melissa was originally posted to the alt.sex newsgroup. At that time  
it was LIST.DOC, and purported to be a list of passwords for sex  
sites. I have seen at least one message theorizing that Melissa is  
someone's ill-conceived punishment for viewers of pornography. This  
hypothesis is extremely unlikely. Sending a virus to a sex related  
newsgroup seems to be a reliable way to ensure that a number of stupid  
people will read and/or execute your program, and start your new virus  
off with a bang. (No pun intended.)  
  
If you get a message with a Melissa infected document, and do whatever  
you need to do to "invoke" the attachment, and have Word on your  
system as the default program for .doc files, Word starts up, reads in  
the document, and the macro is ready to start. If you have Word's  
"macro security" enabled (which is not the default) it will tell you  
that there is a macro in the document. Few people understand the  
import of the warning, and there is no distinction between legitimate  
macros and macro viruses.  
  
Because of a technical different between normal macros and "VBA  
objects," if you ask for a list of the macros in the document, Melissa  
will not show up. It will be visible if you use the Visual Basic  
Editor, but only after you have loaded the infected file.  
  
Assuming that the macro starts executing, several things happen.  
  
The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word  
9) is running. If so, it reduces the level of the security warnings  
on Word so that you will receive no future warnings. In Word97, the  
virus disables the Tools/Macro menu commands, the Confirm Conversions  
option, the MS Word macro virus protection, and the Save Normal  
Template prompt. It "upconverts" to Word 2000 quite nicely, and there  
disables the Tools/Macro/Security menu.  
  
Specifically, under Word 97 it blocks access to the Tools|Macro menu  
item, meaning you cannot check any macros. It also turns off the  
warnings for conversion, macro detection, and to save modifications to  
the NORMAL.DOT file. Under Word 2000 it blocks access to the menu  
item that allows you to raise your security level, and sets your macro  
virus detection to the lowest level, that is, none. (Since the access  
to the macro security menu item is blocked, I do not know how this  
feature can be reversed, other than programmatically or by  
reinstallation.)  
  
After this, the virus checks for the  
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key  
with a value of "... by Kwyjibo". (The "kwyjibo" entry seems to be a  
reference to the "Bart the Genius" episode of the "Simpsons"  
television program where this word was used to win a Scrabble match.)  
  
If this is the first time you have been infected (and this "first  
time" business is slightly complicated), then the macro starts up  
Outlook, in the background, and sends itself as an attachment to the  
"top" 50 names in *each* of your address lists. (Melissa will *not*  
use Outlook Express.) Most people have only one (the default is  
"Contacts"), but if you have more than one then Outlook will send more  
than 50 copies of the message. Outlook also sorts address lists such  
that mailing lists are at the top of the list, so this can get a much  
wider dispersal than just fifty copies of the message/virus. There  
was also a mention on one message about MAPI and Exchange servers,  
which may give access to a very large number of mailing lists. From  
other reports, though, people who use Exchange mail server are being  
particularly hard hit. Then again, people who use Exchange are  
probably also standardized on Word and Outlook.  
  
Some have suggested setting this registry key as a preventative  
measure, but note that it only prevents the mailout. It does not  
prevent infection. If you are infected, and the registry key is  
removed at a later date, then a mailout will be triggered the next  
time an infected document is read.  
  
Once the messages have been sent, the virus sets the Melissa flag in  
the registry, and looks for it to check whether or not to send itself  
out on subsequent infections. If the flag does not persist, then  
there will be subsequent mass mailings. Because the key is set in  
HKEY_CURRENT_USER, system administrators may have set permissions such  
that changes made are not saved, and thus the key will not persist.   
In addition, multiple users on the same machine will likely each  
trigger a separate mailout, and the probability of cross infection on  
a common machine is very high.  
  
Since it is a macro virus, it will infect your NORMAL.DOT, and will  
infect all documents thereafter. The macro within NORMAL.DOT is  
"Document_Close()" so that any document that is worked on will be  
infected when it is closed. When a document is infected the macro  
inserted is "Document_Open()" so that the macro runs when the document  
is opened.  
  
Note that *not* using Outlook does not protect you from the virus, it  
only means that the 50 copies will not be automatically sent out. If  
you use Word but not Outlook, you will still be infected, and may  
still send out infected documents on your own. The virus also will  
not invoke the mailout on Mac systems, but definitely can be stored  
and resent from Macs. At this time I do not have reliable information  
about whether it can reproduce on Macs (there is one report that it  
does), but the likelihood is that it can.  
  
Vesselin Bontchev has noted that the virus never explicitly terminates  
the Outlook program. It is possible that multiple copies may be  
invoked, and may create memory problems. However, this has not been  
confirmed, and is not probable given the "first time" flag that is  
set.  
  
The message appears to come from the person just infected, of course,  
since it really is sent from that machine. This means that when you  
get an "infected" message it will probably appear to come from someone  
you know and deal with. The subject line is "Important Message From:  
[name of sender]" with the name taken from the registration settings  
in Word. The test of the body states "Here is that document you asked  
for ... don't show anyone else ;-)". Thus, the message is easily  
identifiable: that subject line, the very brief message, and an  
attached Word document (file with a .doc extension to the filename).   
If you receive a message of this form *DO NOT OPEN THE DOCUMENT WITH  
WORD!* If you do not have alternate means or competent virus  
assistance, the best recourse is to delete the message, and  
attachment, and to send a message to the sender alerting them to the  
fact that they are, very likely, infected. Please note all the  
specifics in this paragraph, and do not start a panic by sending  
warnings to everyone who sends you any message with an attachment.  
  
However, please also note that, as with any Word macro virus, the  
source code travels with the infection, and it will be very easy to  
create modifications to Melissa. (The source code has already been  
posted to one Web site.) We will, no doubt very soon, start seeing  
many Melissa variants with different subjects and messages. There is  
already one similar Excel macro virus, called "Papa." The virus  
contains the text "Fred Cohen" and "all.net," leading one rather  
ignorant reporter to assume that Fred was the author. Dr. Cohen was  
the first person to do formal research into viral programs.  
  
There is a message that is displayed approximately one time in sixty.   
The exact trigger is if the current system time minute field matches  
the current system time day of the month field when the virus is run.   
In that case, you will "Twenty-two points, plus triple-word-score,  
plus fifty points for using all my letters. Game's over. I'm outta  
here." typed into your document. (This is another reference to the  
"Simpsons" episode referred to earlier.)  
  
One rather important point: the document passed is the active  
document, not necessarily the original posted on alt.sex. So, for  
example, if I am infected, and prepare some confidential information  
for you in Word, and send you an attachment with the Word document,  
containing sensitive information that neither you nor I want made  
public (say, the fact that Bill Gates is a jerk for having designed  
the technology this way), and you read it in Word, and you have  
Outlook on your machine, then that document will be mailed out to the  
top 50 people in your address book.  
  
Rather ironically, a clue to the identity of the perpetrator may have  
come from the identification number embedding scheme recently admitted  
by Microsoft as having been included with Office and Windows 98.  
  
A number of fixes for mail servers and mail filtering systems have  
been devised very quickly. However, note that not all of these have  
fully tested or debugged. One version that I saw would trap most of  
the warning messages about Melissa.  
  
Note that any Word document can be infected, and that an infected user  
may unintentionally send you an infected document. All Word  
documents, and indeed all Office files, should be checked for  
infection before you load them.  
  
  
Information and antiviral updates (some URLs are wrapped):  
  
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html  
  
http://www.ciac.org/ciac/bulletins/j-037.shtml  
  
ftp://ftp.complex.is/pub/macrdef2.zip  
  
http://www.complex.is/f-prot/f-prot.html  
  
http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdnn/stories/  
news/0,4586,2233030,00.html  
  
http://www.zdnet.com/zdnn/special/melissavirus.html  
  
http://www.symantec.com/techsupp/mailissa.html   
  
http://www.antivirus.com/vinfo/security/sa032699.htm  
  
http://www.avp.com/melissa/melissa.html  
  
http://www.microsoft.com/security/bulletins/ms99-002.asp  
  
http://www.sendmail.com/blockmelissa.html  
  
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html  
  
http://www.innosoft.com/iii/pmdf/virus-word-emergency.html  
  
http://www.sophos.com/downloads/ide/index.html#melissa   
  
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp  
  
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10302  
  
http://www.internetnews.com/bus-news/article/0,1087,3_89011,00.html  
  
http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/  
  
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10308  
  
  
====================== (quote inserted randomly by Pegasus Mailer)  
[email protected] [email protected] [email protected] [email protected]  
AV tutorial : http://victoria.tc.ca/techrev/mnvrcv.htm  
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade  
---------------------------------------------  
  
`