Bugtraq mailing list archives
Re: Melissa Macro Virus
From: Jimmy_Kuo () NAI COM (Kuo, Jimmy)
Date: Fri, 26 Mar 1999 19:00:35 -0800
Nate Lawson does a wonderful writeup to which I will make minor clarifications:
Here is my analysis of how the virus works. The McAfee article aleph1 posted neglects to mention that it infects the active document and Normal.dot
[Hide face] In all the clamor over the spreading aspect, we forgot to tell people that it's a normal macro virus in all other means. And that if you don't have Outlook, breath calm. But if you do have Outlook, WATCH OUT! "infects the active document" is redundant. It's infected. That's what starts this.
1. Check for Word security controls and disable them:
Word 2000
Macro.Security... = FALSE
Word 97
Options.ConfirmConversions = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
2. See if machine is already infected Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by Kwyjibo"
3. If it wasn't already infected, go through the Outlook addressbook and send mail to the first 50 names
First 50 names of every addressbook. And the kicker? Look at the first 50 names in your address books? How many mailing lists are there?
Subject: Important Message From <Full Name> Body: Here is that document you asked for... don't show anyone else ;-)
Attachment: itself, named "list.doc"
This time. We have discovered that it was posted to alt.sex in a file named LIST.ZIP.
After sending the mail, add the registry key to disable further infection.
Disables future mailings. Infections can happen again. But the email blast will happen only the first time, unless you clean the registry. So we recommend that you do not remove that element of the registry.
4. Open the Active Document and Normal.dot and infect them with itself
5. On the way out, check if the current day equals the current minute. If so, print "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
It does not appear to do anything malicious other than shutting down your mail server with tons of mail as users start opening the attachment. It appears the virus vendors have a patch out now. To avoid infection, disable macros when opening any Word document or just don't open the attachment. Thanks to Josh Siegel for sending me the code.
Good ideas. Jimmy Kuo Director, AV Research, Network Associates (or as he says, McAfee) jkuo () nai com
Current thread:
- Melissa Macro Virus Aleph One (Mar 26)
- <Possible follow-ups>
- Re: Melissa Macro Virus Nate Lawson (Mar 26)
- Re: Melissa Macro Virus Matthew Kirkwood (Mar 27)
- Re: Melissa Macro Virus Nick FitzGerald (Mar 29)
- Re: Melissa Macro Virus Matthew Kirkwood (Mar 27)
- Re: Melissa Macro Virus Kuo, Jimmy (Mar 26)
- Re: Melissa Macro Virus Jim Reavis (Mar 26)
- Re: Melissa Macro Virus Doug Granzow (Mar 29)
- Re: Melissa Macro Virus Brett Glass (Mar 28)
- Bug in xfs Lukasz Trabinski (Mar 29)
- ICQ Webserver bug Kerb (Mar 29)
- IE 5.0 allows reading and sending local files to a remote server Georgi Guninski (Mar 30)
- Excel Virus Seree Visitseelwat (Mar 30)
- Re: IE 5.0 allows reading and sending local files to a remote Andrew Tulloch (Mar 31)
- Procmail scanning for hostile macros in Microsoft document e-mail John D. Hardin (Mar 31)
- Excel variant of Melissa Marcel de Haas (Mar 30)
- Bug in xfs Lukasz Trabinski (Mar 29)