Computer underground Digest Tue 30 Mar, 2099 Volume 11 : Issue 20
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Shopping Editor: Etaion Shrdlu, 3-sticks
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
CONTENTS, #11.20 (Tue, 30 Mar, 2099)
File 1--Melissa
File 2--CERT's Melissa Advisory
File 3--Microsoft's Melissa Alert
File 4--Dangers of Universal Platforms (ZDNet Excerpt)
File 5--Melissa Creator may be Unovered (ZDNet Excerpt)
File 6--Cu Digest Header Info (unchanged since 10 Jan, 1999)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
TO UNSUB, SEE ADMINISTRAVIA IN CONCLUDING FILE
---------------------------------------------------------------------
Date: Sun, 28 Mar 1999 16:59:21 -0800
From: Jean-Bernard Dahmoune
Subject: File 1--Melissa
SAN FRANCISCO (Reuters) - A virus that spreads a list of pornography sites
via e-mail hit computers over the weekend and threatened havoc Monday as
workers return to offices and begin opening messages sent over the Internet.
The virus, called ``Melissa,'' comes in the form of a document that lists
pornography sites on the World Wide Web.
Computer experts said the virus was aimed at widely used Microsoft
Windows-based e-mail address book software, Outlook and Outlook Express, and
it can send up to 50 additional versions of the e-mail to other users,
threatening a widespread infection of computer systems.
That could create a flood of unwanted e-mails around the Internet as the
program perpetuates itself using pre-programmed ''macros,'' software
embedded in the Windows operating system that sets off complex computer
functions with one command.
``It could grow explosively and shut down e-mail systems as a side effect,''
Eric Allman, co-founder of the Emeryville, Calif.-based Sendmail, a widely
used provider of e-mail services, said in an interview Sunday.
A number of leading software security firms and academic experts posted
warnings about the e-mail threat, including Network Associates, the leading
anti-virus software maker.
``Melissa is widely reported and spreading quickly via mass e-mail, a
function of the viral infection,'' said Network Associates based in Santa
Clara, Calif.
Carnegie Mellon University's Software Engineering Institute issued an
advisory, which said, ``The number and variety of reports we have received
indicate that this is a widespread attack affecting a variety of sites.''
The only damage the virus causes is that it replicates itself and creates a
flood of e-mail, though it apparently does not hurt the computer itself,
experts said.
The real danger is that the virus will overwhelm the server computers that
handle computer messaging systems, which could lead to system shutdowns as
each e-mail multiplies itself 50 times. Already, a wave of the e-mails has
been sent out and awaits office workers Monday morning.
``It's not doing malicious things or removing files or anything like that,''
Allman said. ``I've heard claims that it has been doing more but I haven't
seen any substantial verification of that. It's really more of a wake-up
call, that shows us how you could take a malicious virulent virus and
reproduce it all over the place very quickly.''
Computer experts warned users to be wary of documents sent from any senders
asking them to open up a file for Microsoft Word. That file, in turn, asks
for a prompt asking users whether they want to initiate a ``macro,'' and
requires users to approve its use. Those checkoffs make it relatively easy
to avoid the problem.
Microsoft itself has simply warned users to ``be careful about what runs on
their machine,'' the New York Times reported. Carnegie Mellon said, ``our
analysis indicates that human action (in the form of a user opening an
infected Word document) is required for this virus to activate.''
The virus can be identified, Network Associates said, because it will read
``Important Message From Application.UserName.'' The body of the text reads
``Here is that document you asked for ... don't show anyone else'' and
contains a list of pornographic Web sites.
Melissa creates the following entry in the registry:
HKEYCURRENTUSER/Software/Microsoft/Office/''Melissa?''
Network Security said that to avoid the risk of contracting the Melissa
virus, ``it is recommended that network administrators and users upgrade
their anti-virus software to include detection and cleaning for
W97M/Melissa.''
Network Security posted information about the virus on its the Web site of
its Avert Labs division (), Sendmail also posted
advice on the Melissa problem at and Carnegie
Mellon posted information on its site as well ().
Computer experts said that if advisories were followed, the problem would
probably not become a widespread worry.
``I suspect we'll see a day or two of extremely high e-mail loads and then
it will just die out, so in some sense this virus is not that critical but
it's one what demonstrates what could happen if a truly malicious virus were
released,'' Sendmail's Allman said. ``The ability to spread something so
broadly is scary.''
------------------------------
Date: Tue, 30 Mar 1999 11:57:12 -0600 (CST)
From: Jim Thomas
Subject: File 2--CERT's Melissa Advisory
(CuD MODERATORS' NOTE: By now, the Melissa virus is old news.
But, for those who missed it, here is the original CERT
advisory)).
Source: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
The CERT/CC is part of the Software Engineering Institute at Carnegie
Mellon University CERT/CC Alerts
CERT Coordination Center
CERT Advisory CA-99-04-Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: 7:00 PM GMT-5 Monday March 29, 1999
Systems Affected
* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this macro
virus.
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in the
form of a user opening an infected Word document) is required for this
virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected document
received in the form of an email attachment. This macro virus is not
known to exploit any new vulnerabilities. While the primary transport
mechanism of this virus is via email, any way of transferring files
can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa
macro or W97M_Melissa virus.
I. Description
The Melissa macro virus propagates in the form of an email message
containing an infected Word document as an attachment. The transport
message has most frequently been reported to contain the following
Subject header
Subject-- Important Message From
Where is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two
sections. The first section of the message (Content-Type: text/plain)
contains the following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads we
are likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created
by the victim.
When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are
enabled.
Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the future.
Therefore, the user will not be notified when the virus is executed in
the future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist
or does not have a value of "... by Kwyjibo", the virus proceeds to
propagate itself by sending an email message in the format described
above to the first 50 entries in every Microsoft Outlook MAPI address
book readable by the user executing the macro. Keep in mind that if
any of these email addresses are mailing lists, the message will be
delivered to everyone on the mailing lists. In order to successfully
propagate, the affected machine must have Microsoft Outlook installed;
however, Outlook does not need to be the mailer used to read the
message.
This virus can not send mail on systems running MacOS; however, the
virus can be stored on MacOS.
Next, the macro virus sets the value of the registry key to "... by
Kwyjibo". Setting this registry key causes the virus to only propagate
once per session. If the registry key does not persist through
sessions, the virus will propagate as described above once per every
session when a user opens an infected document. If the registry key
persists through sessions, the virus will no longer attempt to
propagate even if the affected user opens an infected document.
The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions of
Word97 may trust macros in templates the virus may execute without
warning. For more information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Finally, if the minute of the hour matches the day of the month at
this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You can
see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would
appreciate if you would report any instance of this activity to us
according to our Incident Reporting Guidelines document available at:
http://www.cert.org/tech_tips/incident_reporting.html
II. Impact
* Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any
documents referencing this template to be infected with this macro
virus. If the infected document is opened by another user, the
document, including the macro virus, will propagate. Note that
this could cause the user's document to be propagated instead of
the original document, and thereby leak sensitive information.
* Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with
their mail servers as a result of the propagation of this virus.
III. Solutions
*
Block messages with the signature of this virus at your mail transfer agent=
s
or other central point of control.
+
With Sendmail
Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain
the Melissa virus. This information is available from the
follow URL:
http://www.sendmail.com/blockmelissa.html
+
With John Hardin's Procmail security filter package
More information is available from:
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.ht
ml
+
With Innosoft's PMDF
More information is available from:
http://www.innosoft.com/iii/pmdf/virus-word-emergency.html
*
Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses. In
order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.
+
Computer Associates
Virus signature versions that detect and cure melissa virus.
Windows NT 3.x & 4.x 4.19d
Windows 95 4.19e
Windows 98 4.19e
Windows 3.1 4.19e
Netware 3.x, 4.x & 5.0 4.19e
Any of the above virus signatures files can be downloaded at:
http://www.support.cai.com
+
McAfee / Network Associates
http://vil.mcafee.com/vil/vm10118.asp
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melis
sa.asp
+
Sophos
http://www.sophos.com/downloads/ide/index.html#melissa
+
Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html
+
Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
*
Encourage users at your site to disable macros in Microsoft Word
Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage users to
disable macros in any product that contains a macro language as
this sort of problem is not limited to Microsoft Word.
In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a security
level variable similar to Internet Explorer (click on
Tools/Macro/Security and choose High, Medium, or Low). In that
case, 'High' silently ignores the VBA code, Medium prompts in the
way Word97 does to let you enable or disable the VBA code, and
'Low' just runs it.
Word2000 supports Authenticode on the VB code. In the 'High'
setting you can specify sites that you trust and code from those
sites will run.
------------------------------
Date: Tue, 30 Mar 1999 12:01:05 -0600 (CST)
From: Jim Thomas
Subject: File 3--Microsoft's Melissa Alert
((CuD MODERATORS' NOTE: Thanks to the readers who senver over
the folowing update on Melissa from microsoft)):
Source: http://officeupdate.microsoft.com/articles/macroalert.htm
Microsoft Office Update Office
HomeMember ServicesSearchShop OfficeMicrosoftSite Help
Word Macro Virus Alert
On Friday March 26th, Microsoft was made aware of a Word macro virus
(dubbed "Melissa") that has affected a number of users and companies.
As with all security issues we take this very seriously, and because
of the widespread nature of this particular virus, Microsoft is taking
steps to proactively notify our customers to help minimize its impact.
By taking the necessary precautions you can ensure it does not affect
you.
Who can the virus affect?
This virus can affect people who are using Word 97 or Word 2000 with
Outlook 97, 98 or 2000. If you do not use this software, this
particular virus does not affect you.
What is the "Melissa" Macro Virus?
It is a Word 97/2000 macro virus delivered via email in an attached
Word document. The email contains the subject line "Important Message
From "UserName" and/or contains the message body "Here is that
document you asked for ... don't show anyone else ;-)". If the
attached Word document is opened and the macro virus is enabled (i.e.
it is allowed to run), it can propagate itself by sending email with
the infected document to a number of recipients. The virus reads the
list of members from Outlook's Global Address Book and sends an email
message to the first 50 recipients programmatically, one at a time.
The name of the original infected Word document is List.doc, but this
could be changed to any name. This virus does not appear to destroy
data, however if enabled it can have a payload. If the current day of
the month equals the minute value of the current time, and the
infected document is opened this text is inserted at the current
cursor position:
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here."
Will Office 97/Office 2000 protect me from this and other macro viruses?
Yes. Word 97 and Word 2000 will protect you from macro viruses
including this one, provided the macro virus protection is turned on
(this is the default setting). With the macro virus protection turned
on, every time you receive a Word document that contains macros, a
dialog box opens and allows you to choose whether to enable the
macros. You should always disable macros when you are not certain of
their purpose or functionality. By choosing to disable the macros, you
will prevent this and any macro virus from running, rendering them
harmless. The virus is only activated if you open the attached Word
document and choose to enable the macros or if your macro virus
protection settings have been turned off.
How do I ensure the Office macro virus protection is turned on?
In Word 97
1. On the Tools menu, click Options.
2. On the General tab, check Macro Virus Protection.
In Word 2000
1. Double-click on the Tools menu, point to Macro and then choose
Security.
2. Select the level of security you want. High security will allow
only macros that have been signed to open. Unsigned macros will be
automatically disabled. Medium security always brings up the macro
dialog protection box that allows you to disable macros if you are
unsure of the macros.
IMPORTANT NOTE: If you are not able to follow the steps above because
you cannot find the menu items, it will be necessary to delete your
normal.dot file. This is Word's global template that will
automatically be recreated once Word is launched. After this is done,
repeat the steps above. Please remember to back up your personal
macros if you store them in your normal.dot.
How do I ensure I will not be Infected?
* Ensure the Office macro virus protection is turned on as described
above. Always choose "disable macros" when asked, if you are
unsure of the purpose of the macro in the document. Doing so will
still allow you to open the document and read its contents. Once
certain the macro is safe, you can then re-open the document and
enable the macro.
* Run the latest anti-virus software, and scan often. This is how
you can ensure that the macros in documents are safe. Disinfectors
for this particular virus are already available from a number of
anti-virus companies. Also remember to keep your anti-virus
software up to date by installing the latest signature files for
that company. (Most companies creating anti-virus applications
release a new signature file each month. The following Knowledge
Base article lists some popular vendors
http://support.microsoft.com/support/kb/articles/Q49/5/00.asp.
* Communicate this information to all those who could become
infected.
What should I do if I have (or think I have) been infected by this virus?
* Run anti-virus software containing the latest update, and scan
your system often. Support for this particular virus is already
available from a number of anti-virus companies. The following
Knowledge Base article lists some popular vendors
http://support.microsoft.com/support/kb/articles/Q49/5/00.asp.
* Ensure your Office virus protection is turned on. It is possible
that once the virus has been allowed to run, it can disable the
virus protection in Word 97 or Word 2000. Remember to make sure
Office macro virus protection is turned on by performing the steps
listed above.
What if I have more questions on Macro Viruses?
Visit the Microsoft anti-virus website site to learn more about macro
viruses.
------------------------------
Date: Tue, 30 Mar 1999 14:39:21 -0600 (CST)
From: Jim Thomas
Subject: File 4--Dangers of Universal Platforms (ZDNet Excerpt)
((CuD MODERATORS' NOTE: Melissa is generating debate about the
dangers of universal platforms and their potential vulnerability
to destructive epidemics. Peter Coffee's full article is worth
reading.))
Source: Ziff-Davis
http://www.zdnet.com/zdnn/stories/comment/0,5859,2233128,00.htm
Source: ZDNet
http://www.zdnet.com/zdnn/stories/comment/0,5859,2233128,00.htm
Peter Coffee - Rumors & Comment Story Head
We shouldn't be surprised
By Peter Coffee, PC Week Online
March 27, 1999 4:40 PM PT
Microsoft Office is a new breed of enterprise platform, enabling a
high degree of inter-application communication (IAC) and permitting
extensive customization. These are strengths in the hands of
responsible users and disciplined programmers, but they become grave
risks on public networks exchanging content among untrusted sources.
The Melissa virus demonstrates Office's risks, and serves as a
warning to enterprise IT architects and users that there's no such
thing as a convenience without a cost.
((snip))
------------------------------
Date: Tue, 30 Mar 1999 14:41:54 -0600 (CST)
From: Jim Thomas
Subject: File 5--Melissa Creator may be Unovered (ZDNet Excerpt)
Source: ZDNet
http://www.zdnet.com/zdnn/stories/news/0,4586,2233931,00.html
Melissa creator may be uncovered
Thanks to a controversial serial ID number, researchers seem to have
found the virus writer.
By Robert Lemos, ZDNN
March 29, 1999 5:49 PM PT
Two software engineers have extracted information from the Melissa
virus that appears to lead to an account on America Online Inc. and a
Web site that, if matched with a person, could lead law enforcement
officials to the author of the prolific virus.
The key is a controversial serial number, called the Global
Unique Identifier or GUID, which is included in files created with
Microsoft Corp.'s (Nasdaq:MSFT) Office, as well as some other
applications, including Visual Basic. The serial number raised the
concern of privacy advocates just a few weeks ago for its ability to
be used to trace certain documents back to their creator.
((snip))
------------------------------
Date: Sun, 10 Jan 1999 22:51:01 CST
From: CuD Moderators
Subject: File 6--Cu Digest Header Info (unchanged since 10 Jan, 1999)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send post with this in the "Subject:: line:
SUBSCRIBE CU-DIGEST
Send the message to: cu-digest-request@weber.ucsd.edu
DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.
The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)
The mailing list is automated, so no human lies at the other end.
CuD is readily accessible from the Net:
UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
Web-accessible from: http://www.etext.org/CuD/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
------------------------------
End of Computer Underground Digest #11.20
************************************
<--">Return to the Cu Digest homepage
Page maintained by: Jim Thomas - cudigest@sun.soci.niu.edu