Date: Fri, 29 Mar 2024 06:05:00 -0400 (EDT) Message-ID: <134108631.13.1711706700435@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_12_1137927599.1711706700433" ------=_Part_12_1137927599.1711706700433 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receivin= g reports of a Microsoft Word 97 and Word 2000 macro virus which is propaga= ting via email attachments. The number and variety of reports we have recei= ved indicate that this is a widespread attack affecting a variety of sites.=
Our analysis of this macro virus indicates that human action (in the for= m of a user opening an infected Word document) is required for this virus t= o propagate. It is possible that under some mailer configurations, a user m= ight automatically open an infected document received in the form of an ema= il attachment. This macro virus is not known to exploit any new vulnerabili= ties. While the primary transport mechanism of this virus is via email, any= way of transferring files can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa mac= ro or W97M_Melissa virus.
In addition to this advisory, please see the Melissa Virus FAQ (Frequent= ly Asked Questions) document available at:
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two secti= ons. The first section of the message (Content-Type: text/plain) contains t= he following text.
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially report= ed to be a document called "list.doc". This document contains references to= pornographic web sites. As this macro virus spreads we are likely to see d= ocuments with other names. In fact, under certain conditions the virus may = generate attachments with documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or Word200= 0, the macro virus is immediately executed if macros are enabled.
Upon execution, the virus first lowers the macro security settings to pe= rmit all macros to run when documents are opened in the future. Therefore, = the user will not be notified when the virus is executed in the future.
The macro then checks to see if the registry key
has a value of "... by Kwyjibo". If that registry key does not ex= ist or does not have a value of "... by Kwyjibo", the virus proceeds= to propagate itself by sending an email message in the format described ab= ove to the first 50 entries in every Microsoft Outlook MAPI address book re= adable by the user executing the macro. Keep in mind that if any of these e= mail addresses are mailing lists, the message will be delivered to everyone= on the mailing lists. In order to successfully propagate, the affected mac= hine must have Microsoft Outlook installed; however, Outlook does not need = to be the mailer used to read the message.
This virus can not send mail on systems running MacOS; however, the viru= s can be stored on MacOS.
Next, the macro virus sets the value of the registry key to "... by K= wyjibo". Setting this registry key causes the virus to only propagate o= nce per session. If the registry key does not persist through sessions, the= virus will propagate as described above once per every session when a user= opens an infected document. If the registry key persists through sessions,= the virus will no longer attempt to propagate even if the affected user op= ens an infected document.
The macro then infects the Normal.dot template file. By default, all Wor= d documents utilize the Normal.dot template; thus, any newly created Word d= ocument will be infected. Because unpatched versions of Word97 may trust ma= cros in templates the virus may execute without warning. For more informati= on please see:
Finally, if the minute of the hour matches the day of the month at this = point, the macro inserts into the current document the message "Twenty-two = points, plus triple-word-score, plus fifty points for using all my letters.= Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and look= at the list of macros in this document, neither Word97 nor Word2000 list t= he macro. The code is actually VBA (Visual Basic for Applications) code ass= ociated with the "document.open" method. You can see the code by going into= the Visual Basic editor.
If you receive one of these messages, keep in mind that the message came= from someone who is affected by this virus and they are not necessarily ta= rgeting you. We encourage you to contact any users from which you have rece= ived such a message. Also, we are interested in understanding the scope of = this activity; therefore, we would appreciate if you would report any insta= nce of this activity to us according to our Incident Reporting Guidelines d= ocument available at:
Indirectly, this virus could cause a denial of service on mail serve= rs. Many large sites have reported performance problems with their mail ser= vers as a result of the propagation of this virus.
Nick Christenson of sendmail.com provided info= rmation about configuring sendmail to filter out messages that may contain = the Melissa virus. This information is available from the follow URL:
= p>
Windows NT 3.x & 4.x | 4.19d |
Windows 95 | 4.19e |
Windows 98 | 4.19e |
Windows 3.1 | 4.19e |
Netware 3.x, 4.x & 5.0 | 4.19e |
Any of the above virus signatures files can be downloaded at:
In Word97 you can disable automatic macro executi= on (click Tools/Options/General then turn on the 'Macro virus protection' c= heckbox). In Word2000 macro execution is controlled by a security level var= iable similar to Internet Explorer (click on Tools/Macro/Security and choos= e High, Medium, or Low). In that case, 'High' silently ignores the VBA code= , Medium prompts in the way Word97 does to let you enable or disable the VB= A code, and 'Low' just runs it.
Word2000 supports Authenticode on the= VB code. In the 'High' setting you can specify sites that you trust and co= de from those sites will run.
<= /p>
We would like to thank Jimmy Kuo of Network Associates, Eric Allman and = Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, Jason Garms = and Karan Khanna of Microsoft, Ned Freed of Innosoft, and John Hardin for p= roviding information used in this advisory.
Additionally we would like to thank the many sites who reported this act= ivity.
Copyright 1999 Carnegie Mellon University.
March 28, 1999: Changed the reference to the sendmail patches from ftp.cert.org to www.sendmail.com. Added information for Innosoft, Sophos, and John Hardin's procmail filter kit. March 29, 1999: Formatting changes March 29, 1999:=09 Added information for Computer Associates March 29, 1999: Fixed a broken link March 29, 1999: Added a link to information at Microsoft, added a link to information about Happy99.exe, added information about MacOS, and clairfied that only MS Outlook MAPI address books are involved. March 31, 1999: Added links to the Melissa FAQ