[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Author Index][Search Archives]
FW: CIAC Bulletin J-037: W97M.Melissa Word Macro Virus (fwd)
Poster: Michael Houghton <herveus@Radix.Net>
Howdy!
Rosine recently brought to our attention a new virus. Here is
an authoritative confirmation. You can elect to receiev these
warnings by subscription.
[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
W97M.Melissa Word Macro Virus
March 27, 1999 17:00 GMT Number J-037
_____________________________________________________________________________
PROBLEM: A new Word 97 macro virus named W97M.Malissa has been detected
at multiple DOE sites and is known to be spreading widely. The
virus uses Microsoft Outlook to e-mail the infected document
to the first 50 people from each of your Outlook address books.
PLATFORM: Windows 95 or Windows NT running Microsoft Word 97 (version 8)
or Word 2000 (version 9) and Microsoft Outlook. Word 98 on the
Macintosh is probably not vulnerable because the virus uses
the Windows registry, but that has not been verified yet.
Outlook Express and other mail readers are not vulnerable.
DAMAGE: It overwrites the first macro in open documents and in the
normal.dot template with the macro virus code. It turns off
macro detection in Word. It sends copies of the infected
document to up to 50 people from each of your Outlook address
books.
SOLUTION: Use an updated antivirus product. Some vendors have a solution
available but in many cases you must go to the vendors web
site to get it. Do not depend on the automatic or live update
feature of an antivirus package to get the detector for this
virus. Additional precautions are to password protect the
normal.dot file, turn on macro virus detection in Word, and DO
NOT OPEN attachments to mail messages with the subject
"Important Message From " and the contents "Here is that
document you asked for ... don't show anyone else ;-)" without
checking with the sender. Alert your computer security
officers if you receive such messages.
_____________________________________________________________________________
VULNERABILITY Risk of infection is high. This virus is spreading widely
ASSESSMENT: within and without of the DOE complex. The risk of damage to
your system is low because most users do not have macros in
files and would be alerted by Word's macro detector. The risk
of lostproductivity and lost mail messages is high as mail
servers may have to be shut down and purged of infected mail
messages.
_____________________________________________________________________________
CIAC has critical information about the W97M.Melissa Word Macro Virus
The W97M.Malissa Word macro virus has been seen within the DOE complex. This
macro virus attaches to Word objects in Word 97 and Word 2000. Because of
this method of infection, this virus will not infect older versions of
Microsoft Word. When an infected document is opened, the virus checks to
see if Word 97 or Word 2000 is installed and then disables the Macro toolbar.
It then disables the following Word options:
Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.
Disabling these options makes it difficult to detect the virus in action. The
virus next checks the value of the private registry string:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that string is not equal to "... by Kwyjibo" the virus sends copies of the
infected document to the first 50 people in each of your Outlook address
books and then sets the registry key so it does not do this again. It sends
copies of the infected document to others by opening a connection to Microsoft
Outlook and creating an e-mail message with the subject:
Important Message From <username>
where <username> is replaced with the current Word user's name (Tools, Options
command, User Information tab). The body of the message contains the following
text:
Here is that document you asked for ... don't show anyone else ;-)
The virus then inserts the first 50 users from your Outlook address book,
attaches the infected document and sends the message. It does this for however
many address books you have defined in Outlook.
After sending itself to the people in your address books, the virus then
checks to see if it is running on a document or the Normal.dot template. If
it is running on a document, it infects the Normal.dot template with a
Document_Close macro that runs whenever a document is closed. If it is
running on the Normal.dot template, it infects the active document with a
Document_Open macro that runs whenever a document is opened. After the
Normal.dot template is infected, the virus infects every document you work
on as soon as you close them. If you share these documents with anyone, you
will spread the virus.
Finally, if the minute of the hour equals the day of the month, the virus
inserts the following message at the current location in the active document.
Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here.
Detecting The Virus
===================
Several antivirus vendors have a detection and cleaning capability for this
virus; however, you must go to the vendors web site to get the scanner
updates. Scanners with automatic or live update features do not yet get the
update required to find and clean this virus. While we expect the detection
strings to be in the automatic updates in the near future, for the next
week or two you should get the scanner directly from your vendor's web site.
We have verified that the Norton Antivirus updater obtained from the
Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html)
does detect the virus, the current live update does not. We have reliable
information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and
Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html)
also have detection capabilities.
If you receive an e-mail with the following subject and body, DO NOT OPEN the
attachment.
Subject:
Important Message From <username>
Body:
Here is that document you asked for ... don't show anyone else ;-)
Make sure the sender is someone you know and then ask them if they really
sent you the attachment before opening it. If they did not send it, do not
open the attachment and contact your computer security manager. The most
common name for the attached file is list1.doc but that name can change.
If the following text appears in a document without your putting it there,
your normal.dot template is infected and your Word program is infecting all
documents when you close them.
Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here.
Another option to see if a system has been infected is to use Regedit and
search for the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that key exists and has the value "... by Kwyjibo" the system has been
infected at some time. Note that the infection may have been removed without
deleting the key. This key can be deleted, but does no damage if left alone.
Protecting A System
===================
The first step in protecting a system is to have a current antivirus package
running on your system. Be sure to update it at least once a month. Many of
the newer antivirus scanners have the capability to automatically update
themselves every couple of weeks.
To protect Word from this and other Word macro viruses, first insure that Word
has been patched with the Word 97 Template vulnerability patch
(http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the
normal.dot template file should be password protected; and third, the
following Word 97 options should be enabled.
Confirm conversions at open.
Macro virus protection.
Prompt to save Normal template.
Password Protecting The Normal.dot File
- - - - - ---------------------------------------
To password protect the Normal.dot file in Word 97, perform
these steps:
1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password twice.
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.
The next time you start Word, the normal.dot template will be protected.
WARNING: If you ever have to type in the password to make changes to the
normal.dot file be aware that the file remains unprotected until you quit
Word and restart it.
Turning On Macro Virus Protection and Other Options
- ---------------------------------------------------
Some simple macro virus protection is built into Word 97. It does not detect
specific macro viruses but only informs you if macros exist on a document you
are trying to open. Macros detected by Macro Virus Protection are not
necessarily a virus. However, if you are alerted to a macro attached to a
document you should be extremely wary because most people do not have macros
attached to their documents.
Other options to set are:
Confirm conversions at open. This makes Word display a dialog box if
it is converting a document from one format to another.
Prompt to save Normal template. This makes Word display a dialog box
asking you to confirm changes to the Normal.dot template. Most
macro viruses hide in Normal.dot so this lets you know that there
has been a change that you may want to prevent. Changes also occur
when you change the default font or one of the built-in styles.
To turn on macro virus protection and these other options, perform these
steps:
1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.
Whenever you open a document that contains macros, the macro virus protection
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled, open
the document without the macros, or cancel the open operation. You should
only open a document with macros enabled if you are expecting there to be
macros on that document and you know what they are supposed to do.
Detecting the Virus With a Mail Server
======================================
If a site has been infected you may need to block the virus infected mail
messages with your mail servers. The following filter was written by Scott
Hutton (Lead Security Engineer, Information Technology Security Office) of
Indiana University. As Scott mentions, this filter blocks all messages with
the text "Important Message From" in the subject line, which may block
messages that do not contain the virus. Use this filter at your own discretion.
===== start included text ======
We blocked this on our mail relays through the following additions to
the sendmail.cf:
HSubject: $>CheckSubject
SCheckSubject
RImportant Message From $+ $#error $: 553 Subject Error
R$* $@ OK
Don't forget that there are tabs before $#error and $@ OK. This will
block any message where the subject begins with "Important Message
>From ...", which may be too rash of an action at your site.
===== end included text ======
Another filter was obtained by the CERT team from Nick Christenson of
sendmail.com
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendma
il-melissa-
filter.txt
_____________________________________________________________________________
Thanks to Scott Hutton for the preliminary analysis and for a sendmail
filter. Thanks to CERT and Nick Christenson of sendmail.com for another
sendmail filter.
_____________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're
the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a
confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list
in question.
If you include the word 'help' in the body of an email to the
above address,
it will also send back an information file on how to
subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-026: HP-UX rpc.pcnfsd Vulnerability
J-027: Digital Unix Vulnerabilities ( at , inc )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
J-029: Buffer Overflows in Various FTP Servers
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services
-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2
iQCVAwUBNv07sLnzJzdsy3QZAQEZjwQA6+nHONNAmoosXGsy9eJ6nuIPlFNQ3nM9
+XN1vnqBNI9Hp3kBIXtPXywY4W19NQbyyax6YI+ugmmNfNPEdefeHqnNGuz3dqcW
Ce2RQWnPB1dRrUBTorU+cZHsaq+qaX4s2jSNFlJCFeSuUjNYhzVI6HHilhvGZCQI
wuSjLbuYabo=
=KVaC
-----END PGP SIGNATURE-----
>
--
Michael and MJ Houghton | Herveus d'Ormonde and Megan O'Donnelly
herveus@radix.net | White Wolf and the Phoenix
Bowie, MD, USA | Tablet and Inkle bands, and other stuff
| http://www.radix.net/~herveus/
=======================================================================
List Archives, FAQ, FTP: http://merryrose.atlantia.sca.org/
Submissions: atlantia@atlantia.sca.org
Admin. requests: majordomo@atlantia.sca.org