Bugtraq mailing list archives
Re: Melissa Macro Virus
From: nate () ROOT ORG (Nate Lawson)
Date: Fri, 26 Mar 1999 17:51:49 -0800
Here is my analysis of how the virus works. The McAfee article aleph1 posted neglects to mention that it infects the active document and Normal.dot 1. Check for Word security controls and disable them: Word 2000 Macro.Security... = FALSE Word 97 Options.ConfirmConversions = 0 Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 2. See if machine is already infected Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by Kwyjibo" 3. If it wasn't already infected, go through the Outlook addressbook and send mail to the first 50 names Subject: Important Message From <Full Name> Body: Here is that document you asked for... don't show anyone else ;-) Attachment: itself, named "list.doc" After sending the mail, add the registry key to disable further infection. 4. Open the Active Document and Normal.dot and infect them with itself 5. On the way out, check if the current day equals the current minute. If so, print "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." It does not appear to do anything malicious other than shutting down your mail server with tons of mail as users start opening the attachment. It appears the virus vendors have a patch out now. To avoid infection, disable macros when opening any Word document or just don't open the attachment. Thanks to Josh Siegel for sending me the code. -Nate
Current thread:
- Melissa Macro Virus Aleph One (Mar 26)
- <Possible follow-ups>
- Re: Melissa Macro Virus Nate Lawson (Mar 26)
- Re: Melissa Macro Virus Matthew Kirkwood (Mar 27)
- Re: Melissa Macro Virus Nick FitzGerald (Mar 29)
- Re: Melissa Macro Virus Matthew Kirkwood (Mar 27)
- Re: Melissa Macro Virus Kuo, Jimmy (Mar 26)
- Re: Melissa Macro Virus Jim Reavis (Mar 26)
- Re: Melissa Macro Virus Doug Granzow (Mar 29)
- Re: Melissa Macro Virus Brett Glass (Mar 28)
- Bug in xfs Lukasz Trabinski (Mar 29)
- ICQ Webserver bug Kerb (Mar 29)
- IE 5.0 allows reading and sending local files to a remote server Georgi Guninski (Mar 30)
- Excel Virus Seree Visitseelwat (Mar 30)
- Bug in xfs Lukasz Trabinski (Mar 29)