ANST - Re: FW: [gdh] CERT Advisory CA-99.04 - Melissa Macro Virus (fwd)

Gunnora Hallakarva gunnora at bga.com
Mon Mar 29 17:27:22 PST 1999 

Here's an update, folks.  Copycat viruses based on Melissa are already out there.  Now you also need
to watch for altered Subject lines (the most common variant).  There's a particularly virulent
little b*stard of Melissa that uses Excel macros to do it's dirty work, and early indications show
that it's manipulating MAPI protocols -- giving it access to email systems *other* than Outlook.

The hard and fast rule:  If you are not absolutely certain what the contents of a document are in
advance, do not open it.  Responsible users will describe fully the contents of attachments in the
email. If you open a document and it asks you to run a macro, tell it NO.  If you were so silly as
to disable the macro warnings in your applications, turn 'em back on.

Sad that people have nothing better to do than to build and distribute this shit.  Some industry
estimates say that Melissa cost U.S. companys something like $6 billion since Friday in time and
personnel spent fixing problems, plus downtime when user communities could not use their email
systems.

*sigh*

::GUNNORA::

Gunnora Hallakarva wrote:

> The Melissa warning is in fact a good one, and all Word97 and Outlook users
> should pay close attention.  I've been scrambling all day trying to get it off
> out network.  It didn't shut down our mail servers, but only because I saw it
> start and got the machines shut down that were infected.  We then cleaned
> machines one by one.  *sigh*
>
> For some excellent and informative articles on the Word97-based macro virus that
> brought Microsoft to its knees (along with other major corporations and
> thousands of smaller companies), see:
>
> Carnegie Mellon's Computer Emergency Response Team (CERT) Worldwide Bulletin:
> http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
>
> Excite Article
> http://www.excite.com/computers_and_internet/tech_news/zdnet/?article=/news/19990327/2233130.inp
>
> CNN's news stories on Melissa:
> http://cnn.com/TECH/computing/9903/29/melissa.idg/index.html
> http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/index.html
> http://cnn.com/TECH/computing/9903/29/melissa.02.idg/index.html
> http://cnn.com/TECH/computing/9903/28/email.virus/index.html
> http://cnn.com/US/9903/27/AM-ComputerVirus.ap/index.html
>
> The simple rules:
>
> (1) Do not open any email that has a subject line of "Important Message From"
> followed by the name of someone you know (or maybe someone you don't know)
>
> (2) If by some sad chance you do open the message, you'll find that it says:
> "Here is the message you asked for.  Don't show anyone else ;-)"
>
> (3) If you went this far, you may still be OK.  The problem lies in the attached
> Word document, "list.doc".
>
> List.doc appears to be simply a list of pornographic web sites -- the original
> focus of infection was a message sent to one of the alt.sex Usenet lists.
>
> If you opened that document, and it was able to run its associated macros
> (particularly easy with Word users who turned off the "Notify me before running
> macros" option), then it will install a registry key, it contaminates the
> normal.dot (ensuring that all new documents you create are infected), and it
> links into Outlook and accesses your Address Book, and sends the same filthy
> little message to up to 50 users from the top of the address list.
>
> And if you don't use Microsoft Word 97 (or the prerelease version of Word 2000),
> breath a sigh of relief: Melissa can't infect your computer.  If you use Word 97
> or Word 2000, but don't use Microsoft Outlook, Melissa can't grab your e-mail
> addresses and propagate itself. But it can still infect your computer, and while
> it doesn't appear to do more than send out more such messages, its other
> potential effects aren't completely understood yet.
>
> (4) Symptoms:
>
> A Registry key is set: "HKEY_Current_User\Software\Microsoft\Office\Melissa?" --
> the value will be "...by Kwyjibo"
>
> If the minute of the hour matches the day of the month (i.e., 3:29 occurs on
> March 9th), the macro inserts into the current Word document a quote from the
> Simpsons: "Twenty-two points, plus triple-word-score, plus fifty points for
> using all my letters. Game's over. I'm outta here."
>
> Note that if you open an infected document with macros disabled and look at the
> list of macros in this document, neither Word97 nor Word2000 list the macro. The
> code is actually VBA (Visual Basic for Applications) code associated with the
> "document.open" method. You can see the code by going into the Visual Basic
> editor.
>
> One possibility (not yet confirmed) is that the virus may randomly send your own
> Word documents to others... which could be deadly to your business, or your
> reputation...
>
> (5) Protection vs. Melissa
>
> At this point, all major antivirus software companies have updates that handle
> Melissa. If you are running antivirus software, you should update it
> immediately.
>
> Whether you have antivirus software on your PC, you can disable automatic macro
> execution in Word 97. Select Tools, Options, General and make sure the "macro
> virus protection" box is checked.

============================================================================
Go to http://lists.ansteorra.org/lists.html to perform mailing list tasks.

More information about the Ansteorra mailing list