View Source

Original issue date: March 27, 1999<BR>
Last revised: March 31, 1999<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>
<UL>
<LI>Machines with Microsoft Word 97 or Word 2000</LI>
<LI>Any mail handling system could experience performance problems or
a denial of service as a result of the propagation of this macro
virus.</LI>
</UL>

<H3>Overview</H3>

<P>At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.

<P>Our analysis of this macro virus indicates that human action (in
the form of a user opening an infected Word document) is required for
this virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected document
received in the form of an email attachment. This macro virus is not
known to exploit any new vulnerabilities. While the primary transport
mechanism of this virus is via email, any way of transferring files
can also propagate the virus.

<P>Anti-virus software vendors have called this macro virus the
Melissa macro or W97M_Melissa virus.

<P>In addition to this advisory, please see the Melissa Virus FAQ
(Frequently Asked Questions) document available at:

  <DT><DD>
  <A HREF="http://www.cert.org/tech_tips/Melissa_FAQ.html">
  http://www.cert.org/tech_tips/Melissa_FAQ.html</A>
  </DD></DT>
  </LI>

<P>

<H2>I. Description</H2>

The Melissa macro virus propagates in the form of an email message
containing an infected Word document as an attachment. The transport
message has most frequently been reported to contain the following
Subject header

<P>
<DT><DD>
<PRE>
Subject: Important Message From &lt;name&gt;
</PRE>
</DD></DT>

<P>Where &lt;name&gt; is the full name of the user sending the message.

<P>The body of the message is a multipart MIME message containing
two sections. The first section of the message (Content-Type: text/plain) 
contains the following text.

<P>
<DT><DD>
<PRE>
Here is that document you asked for ... don't show anyone else ;-)
</PRE>
</DD></DT>

<P>The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads we
are likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created
by the victim.

<P>When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are
enabled.

<P>Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the
future. Therefore, the user will not be notified when the virus is
executed in the future.

<P>The macro then checks to see if the registry key 

<P>
<DT><DD><B>"HKEY_Current_User\Software\Microsoft\Office\Melissa?"</B></DD></DT>

<P>has a value of <B>"... by Kwyjibo"</B>. If that registry key does not
exist or does not have a value of <B>"... by Kwyjibo"</B>, the virus
proceeds to propagate itself by sending an email message in the format
described above to the first 50 entries in every Microsoft Outlook
MAPI address book readable by the user executing the macro. Keep in
mind that if any of these email addresses are mailing lists, the
message will be delivered to everyone on the mailing lists. In order
to successfully propagate, the affected machine must have Microsoft
Outlook installed; however, Outlook does not need to be the mailer
used to read the message.

<P>This virus can not send mail on systems running MacOS; however, the
virus can be stored on MacOS.

<P>Next, the macro virus sets the value of the registry key to <B>"... by
Kwyjibo"</B>. Setting this registry key causes the virus to only
propagate once per session. If the registry key does not persist
through sessions, the virus will propagate as described above once per
every session when a user opens an infected document. If the registry
key persists through sessions, the virus will no longer attempt to
propagate even if the affected user opens an infected document.

<P>The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions of
Word97 may trust macros in templates the virus may execute without
warning. For more information please see:

<P>
<DT><DD><A HREF="http://www.microsoft.com/security/bulletins/ms99-002.asp">http://www.microsoft.com/security/bulletins/ms99-002.asp</A>

<P>Finally, if the minute of the hour matches the day of the month at
this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters.  Game's over.  I'm outta here."

<P>Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You can
see the code by going into the Visual Basic editor.

<P>If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would
appreciate if you would report any instance of this activity to us
according to our Incident Reporting Guidelines document available
at:

<P>
<DT><DD><A HREF="http://www.cert.org/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</A></DD></DT>

<H2>II. Impact</H2>
<UL>

<LI>Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any
documents referencing this template to be infected with this macro
virus. If the infected document is opened by another user, the
document, including the macro virus, will propagate. Note that this
could cause the user's document to be propagated instead of the
original document, and thereby leak sensitive information.</LI>

<LI><P>Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with
their mail servers as a result of the propagation of this virus.</LI>

</UL>

<H2>III. Solutions</H2>

<UL>
<LI><H2>Block messages with the signature of this virus at your mail
transfer agents or other central point of control.</H2>

  <UL>
<LI><H3>With Sendmail</H3>

<P>Nick Christenson of sendmail.com provided information about
      configuring sendmail to filter out messages that may contain
      the Melissa virus.
  
      This information is available from the follow URL:

<P>
      <DT><DD>
      <A HREF="http://www.sendmail.com/blockmelissa.html">http://www.sendmail.com/blockmelissa.html</A>
      </DD></DT>

<P></LI>
  
<LI><H3>With John Hardin's Procmail security filter package</H3>
      More information is available from:

<P>
      <DT><DD>
      <A HREF="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html">ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html</A>
      </DD></DT>

<P></LI>
  
<LI><H3>With Innosoft's PMDF</H3>
      More information is available from:

<P>
      <DT><DD>
      <A HREF="http://www.innosoft.com/iii/pmdf/virus-word-emergency.html">http://www.innosoft.com/iii/pmdf/virus-word-emergency.html</A>
      </DD></DT>

<P></LI>
    </UL>
  </LI>

<LI><H2>Utilize virus scanners</H2>

  Most virus scanning tools will detect and clean macro viruses. In
  order to detect and clean current viruses you must keep your scanning
  tools up to date with the latest definition files.

<P>
  <UL>
<LI><H3>Computer Associates</H3>

      Virus signature versions that detect and cure melissa virus.

<P>
      <TABLE> 
      <TR><TD>Windows NT 3.x & 4.x</TD><TD>4.19d</TD></TR>
      <TR><TD>Windows 95</TD><TD>4.19e</TD></TR>			
      <TR><TD>Windows 98</TD><TD>4.19e</TD></TR>
      <TR><TD>Windows 3.1</TD><TD>4.19e</TD></TR>
      <TR><TD>Netware 3.x, 4.x & 5.0</TD><TD>4.19e</TR>
      </TABLE>

<P>Any of the above virus signatures files can be downloaded at:
      <DT><DD>
         <A HREF="http://www.support.cai.com">http://www.support.cai.com</A>
      </DD></DT>

<P> 
    </LI>

<LI><H3>McAfee / Network Associates</H3>

      <DT><DD>
	<A HREF="http://vil.mcafee.com/vil/vm10118.asp">
	http://vil.mcafee.com/vil/vm10118.asp</A></DD><DD>
	<A HREF="http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp">
	http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp</A>
      </DD></DT>

<P> 
    </LI>

<LI><H3>Sophos</H3>

      <DT><DD>
	<A HREF="http://www.sophos.com/downloads/ide/index.html#melissa">
	http://www.sophos.com/downloads/ide/index.html#melissa</A>
      </DD></DT>

<P> 
    </LI>

<LI><H3>Symantec</H3>
        
      <DT><DD>
        <A HREF="http://www.symantec.com/avcenter/venc/data/mailissa.html">
        http://www.symantec.com/avcenter/venc/data/mailissa.html</A>
      </DD></DT>

<P> 
    </LI>

<LI><H3>Trend Micro</H3>
  
      <DT><DD>
	<A HREF="http://housecall.antivirus.com/smex_housecall/technotes.html">
	http://housecall.antivirus.com/smex_housecall/technotes.html</A>

<P></DD></DT>

<P> 
    </LI>
  </UL>
  </LI>

<LI><H2>Encourage users at your site to disable macros in Microsoft Word</H2>

  Notify all of your users of the problem and encourage them to
  disable macros in Word. You may also wish to encourage users to
  disable macros in any product that contains a macro language as this
  sort of problem is not limited to Microsoft Word.

<P>In Word97 you can disable automatic macro execution (click
  Tools/Options/General then turn on the 'Macro virus protection'
  checkbox). In Word2000 macro execution is controlled by a security
  level variable similar to Internet Explorer (click on
  Tools/Macro/Security and choose High, Medium, or Low). In that case,
  'High' silently ignores the VBA code, Medium prompts in the way
  Word97 does to let you enable or disable the VBA code, and 'Low'
  just runs it.

<P>Word2000 supports Authenticode on the VB code. In the 'High' setting
  you can specify sites that you trust and code from those sites will
  run.

<P>
  </LI>

<LI><H2>General protection from Word Macro Viruses</H2>

  For information about macro viruses in general, we encourage you to
  review the document "Free Macro AntiVirus Techniques" by Chengi
  Jimmy Kuo which is available at.

<P>
  <DT><DD>
  <A HREF="http://www.nai.com/services/support/vr/free.asp">http://www.nai.com/services/support/vr/free.asp</A>
  </DD></DT></LI>

<P>
</UL>

<H3>Additional Information</H3>
<UL>
<LI>For more information about the Melissa virus please see the
	Melissa Virus FAQ (Frequently Asked Questions) document
	available at:

<P>
  <DT><DD>
  <A HREF="http://www.cert.org/tech_tips/Melissa_FAQ.html">
  http://www.cert.org/tech_tips/Melissa_FAQ.html</A>
  </DD></DT>
  </LI>

<P><LI>We have received a number of reports from people confusing the
	Happy99.exe Trojan Horse with the Melissa virus. For more
        information about Happy99.exe please see:
  <DT><DD>
  <A HREF="http://www.cert.org/incident_notes/IN-99-02.html">
  http://www.cert.org/incident_notes/IN-99-02.html</A>
  </DD></DT>
  </LI>

<P><LI>The Department of Energy's Computer Incident Advisory Capability
  (CIAC) has published several documents that you may wish to
  examine. These are available at  available at

<P>
  <DT><DD>
  <A HREF="http://www.ciac.org/ciac/bulletins/j-037.shtml">http://www.ciac.org/ciac/bulletins/j-037.shtml</A>
  </DD></DT><BR>
  <DT><DD>
  <A HREF="http://ciac.llnl.gov/ciac/bulletins/i-023.shtml">http://ciac.llnl.gov/ciac/bulletins/i-023.shtml</A>
  </DD></DT>
  </LI>

<P><LI>Microsoft Corporation has published information about this macro 
	virus. Their document is available from:

<P>
  <DT><DD>
  <A HREF="http://officeupdate.microsoft.com/articles/macroalert.htm">
  http://officeupdate.microsoft.com/articles/macroalert.htm</A>
  </DD></DT>
  </LI>

<P>
</UL>

<H3>Acknowledgements</H3>

<P>We would like to thank Jimmy Kuo of Network Associates, Eric Allman
and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro,
Jason Garms and Karan Khanna of Microsoft, Ned Freed of Innosoft, and
John Hardin for providing information used in this advisory.

<P>Additionally we would like to thank the many sites who reported
this activity.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
March 28, 1999:   Changed the reference to the sendmail
  patches from ftp.cert.org to www.sendmail.com. Added
  information for Innosoft, Sophos, and John Hardin's procmail
  filter kit.
March 29, 1999:   Formatting changes
March 29, 1999:	  Added information for Computer Associates
March 29, 1999:   Fixed a broken link
March 29, 1999:   Added a link to information at
  Microsoft, added a link to information about Happy99.exe,
  added information about MacOS, and clairfied that only MS
  Outlook MAPI address books are involved.
March 31, 1999:   Added links to the Melissa FAQ
</PRE>