tgschs10 on sat 22 jul 00
FYI,
=20
=20
CERT=AE Advisory CA-99-04-Melissa-Macro-Virus
Original issue date: March 27, 1999
Last revised: March 31, 1999
A complete revision history is at the end of this file.=20
Systems Affected
a.. Machines with Microsoft Word 97 or Word 2000=20
b.. Any mail handling system could experience performance problems or =
a denial of service as a result of the propagation of this macro virus.=20
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began =
receiving reports of a Microsoft Word 97 and Word 2000 macro virus which =
is propagating via email attachments. The number and variety of reports =
we have received indicate that this is a widespread attack affecting a =
variety of sites.=20
Our analysis of this macro virus indicates that human action (in the =
form of a user opening an infected Word document) is required for this =
virus to propagate. It is possible that under some mailer =
configurations, a user might automatically open an infected document =
received in the form of an email attachment. This macro virus is not =
known to exploit any new vulnerabilities. While the primary transport =
mechanism of this virus is via email, any way of transferring files can =
also propagate the virus.=20
Anti-virus software vendors have called this macro virus the Melissa =
macro or W97M_Melissa virus.=20
In addition to this advisory, please see the Melissa Virus FAQ =
(Frequently Asked Questions) document available at:=20
http://www.cert.org/tech_tips/Melissa_FAQ.html=20
I. Description
The Melissa macro virus propagates in the form of an email message =
containing an infected Word document as an attachment. The transport =
message has most frequently been reported to contain the following =
Subject header=20
Subject: Important Message From
Where is the full name of the user sending the message.=20
The body of the message is a multipart MIME message containing two =
sections. The first section of the message (Content-Type: text/plain) =
contains the following text.=20
Here is that document you asked for ... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially =
reported to be a document called "list.doc". This document contains =
references to pornographic web sites. As this macro virus spreads we are =
likely to see documents with other names. In fact, under certain =
conditions the virus may generate attachments with documents created by =
the victim.=20
When a user opens an infected .doc file with Microsoft Word97 or =
Word2000, the macro virus is immediately executed if macros are enabled. =
Upon execution, the virus first lowers the macro security settings to =
permit all macros to run when documents are opened in the future. =
Therefore, the user will not be notified when the virus is executed in =
the future.=20
The macro then checks to see if the registry key=20
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"=20
has a value of "... by Kwyjibo". If that registry key does not exist or =
does not have a value of "... by Kwyjibo", the virus proceeds to =
propagate itself by sending an email message in the format described =
above to the first 50 entries in every Microsoft Outlook MAPI address =
book readable by the user executing the macro. Keep in mind that if any =
of these email addresses are mailing lists, the message will be =
delivered to everyone on the mailing lists. In order to successfully =
propagate, the affected machine must have Microsoft Outlook installed; =
however, Outlook does not need to be the mailer used to read the =
message.=20
This virus can not send mail on systems running MacOS; however, the =
virus can be stored on MacOS.=20
Next, the macro virus sets the value of the registry key to "... by =
Kwyjibo". Setting this registry key causes the virus to only propagate =
once per session. If the registry key does not persist through sessions, =
the virus will propagate as described above once per every session when =
a user opens an infected document. If the registry key persists through =
sessions, the virus will no longer attempt to propagate even if the =
affected user opens an infected document.=20
The macro then infects the Normal.dot template file. By default, all =
Word documents utilize the Normal.dot template; thus, any newly created =
Word document will be infected. Because unpatched versions of Word97 may =
trust macros in templates the virus may execute without warning. For =
more information please see:=20
http://www.microsoft.com/security/bulletins/ms99-002.asp=20
Finally, if the minute of the hour matches the day of the month at this =
point, the macro inserts into the current document the message =
"Twenty-two points, plus triple-word-score, plus fifty points for using =
all my letters. Game's over. I'm outta here."=20
Note that if you open an infected document with macros disabled and look =
at the list of macros in this document, neither Word97 nor Word2000 list =
the macro. The code is actually VBA (Visual Basic for Applications) code =
associated with the "document.open" method. You can see the code by =
going into the Visual Basic editor.=20
If you receive one of these messages, keep in mind that the message came =
from someone who is affected by this virus and they are not necessarily =
targeting you. We encourage you to contact any users from which you have =
received such a message. Also, we are interested in understanding the =
scope of this activity; therefore, we would appreciate if you would =
report any instance of this activity to us according to our Incident =
Reporting Guidelines document available at:=20
http://www.cert.org/tech_tips/incident_reporting.html=20
II. Impact
a.. Users who open an infected document in Word97 or Word2000 with =
macros enabled will infect the Normal.dot template causing any documents =
referencing this template to be infected with this macro virus. If the =
infected document is opened by another user, the document, including the =
macro virus, will propagate. Note that this could cause the user's =
document to be propagated instead of the original document, and thereby =
leak sensitive information.=20
b.. Indirectly, this virus could cause a denial of service on mail =
servers. Many large sites have reported performance problems with their =
mail servers as a result of the propagation of this virus.=20
III. Solutions
a.. Block messages with the signature of this virus at your mail =
transfer agents or other central point of control.
a.. With Sendmail
Nick Christenson of sendmail.com provided information about =
configuring sendmail to filter out messages that may contain the Melissa =
virus. This information is available from the follow URL:=20
http://www.sendmail.com/blockmelissa.html=20
b.. With John Hardin's Procmail security filter package
More information is available from:=20
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html=20
c.. With Innosoft's PMDF
More information is available from:=20
http://www.innosoft.com/iii/pmdf/virus-word-emergency.html=20
b.. Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses. In =
order to detect and clean current viruses you must keep your scanning =
tools up to date with the latest definition files.=20
a.. Computer Associates
Virus signature versions that detect and cure melissa virus.=20
Windows NT 3.x & 4.x 4.19d=20
Windows 95 4.19e=20
Windows 98 4.19e=20
Windows 3.1 4.19e=20
Netware 3.x, 4.x & 5.0 4.19e=20
Any of the above virus signatures files can be downloaded at:=20
http://www.support.cai.com=20
b.. McAfee / Network Associates
http://vil.mcafee.com/vil/vm10118.asp=20
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp=20
c.. Sophos
http://www.sophos.com/downloads/ide/index.html#melissa=20
d.. Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html=20
e.. Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html=20
c.. Encourage users at your site to disable macros in Microsoft Word
Notify all of your users of the problem and encourage them to disable =
macros in Word. You may also wish to encourage users to disable macros =
in any product that contains a macro language as this sort of problem is =
not limited to Microsoft Word.=20
In Word97 you can disable automatic macro execution (click =
Tools/Options/General then turn on the 'Macro virus protection' =
checkbox). In Word2000 macro execution is controlled by a security level =
variable similar to Internet Explorer (click on Tools/Macro/Security and =
choose High, Medium, or Low). In that case, 'High' silently ignores the =
VBA code, Medium prompts in the way Word97 does to let you enable or =
disable the VBA code, and 'Low' just runs it.=20
Word2000 supports Authenticode on the VB code. In the 'High' setting =
you can specify sites that you trust and code from those sites will run. =
d.. General protection from Word Macro Viruses
For information about macro viruses in general, we encourage you to =
review the document "Free Macro AntiVirus Techniques" by Chengi Jimmy =
Kuo which is available at.=20
http://www.nai.com/services/support/vr/free.asp=20
Additional Information
a.. For more information about the Melissa virus please see the =
Melissa Virus FAQ (Frequently Asked Questions) document available at:=20
http://www.cert.org/tech_tips/Melissa_FAQ.html=20
b.. We have received a number of reports from people confusing the =
Happy99.exe Trojan Horse with the Melissa virus. For more information =
about Happy99.exe please see:=20
http://www.cert.org/incident_notes/IN-99-02.html=20
c.. The Department of Energy's Computer Incident Advisory Capability =
(CIAC) has published several documents that you may wish to examine. =
These are available at available at=20
http://www.ciac.org/ciac/bulletins/j-037.shtml=20
http://ciac.llnl.gov/ciac/bulletins/i-023.shtml=20
d.. Microsoft Corporation has published information about this macro =
virus. Their document is available from:=20
http://officeupdate.microsoft.com/articles/macroalert.htm=20
Acknowledgements
We would like to thank Jimmy Kuo of Network Associates, Eric Allman and =
Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, Jason =
Garms and Karan Khanna of Microsoft, Ned Freed of Innosoft, and John =
Hardin for providing information used in this advisory.=20
Additionally we would like to thank the many sites who reported this =
activity.=20
-------------------------------------------------------------------------=
-------
This document is available from: =
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html=20
-------------------------------------------------------------------------=
-------
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) =
Monday through Friday; they are on call for emergencies during other =
hours, on U.S. holidays, and on weekends.=20
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our =
public PGP key is available from=20
http://www.cert.org/CERT_PGP.key=20
If you prefer to use DES, please call the CERT hotline for more =
information.=20
Getting security information
CERT publications and other security information are available from our =
web site=20
http://www.cert.org/=20
To be added to our mailing list for advisories and bulletins, send email =
to cert-advisory-request@cert.org and include SUBSCRIBE =
your-email-address in the subject of your message.=20
* "CERT" and "CERT Coordination Center" are registered in the U.S. =
Patent and Trademark Office.=20
-------------------------------------------------------------------------=
-------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software =
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon =
University makes no warranties of any kind, either expressed or implied =
as to any matter including, but not limited to, warranty of fitness for =
a particular purpose or merchantability, exclusivity or results obtained =
from use of the material. Carnegie Mellon University does not make any =
warranty of any kind with respect to freedom from patent, trademark, or =
copyright infringement.=20
-------------------------------------------------------------------------=
-------
Conditions for use, disclaimers, and sponsorship information=20
Copyright 1999 Carnegie Mellon University.
-------------------------------------------------------------------------=
-------
Revision History=20
March 28, 1999: Changed the reference to the sendmail
patches from ftp.cert.org to www.sendmail.com. Added
information for Innosoft, Sophos, and John Hardin's procmail
filter kit.
March 29, 1999: Formatting changes
March 29, 1999: Added information for Computer Associates
March 29, 1999: Fixed a broken link
March 29, 1999: Added a link to information at
Microsoft, added a link to information about Happy99.exe,
added information about MacOS, and clairfied that only MS
Outlook MAPI address books are involved.
March 31, 1999: Added links to the Melissa FAQ
Tom Sawyer
tgschs10@msn.com
NeilBerkowitz on sat 22 jul 00
Below is the information about the most recent Outlook vulnerabilty issue
Microsoft posted to their msn network support site:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Security Alert: Vulnerability in Microsoft Outlook and Outlook Express
This is an alert regarding a security vulnerability in Microsoft® Outlook®
and Outlook Express. Under certain conditions, this vulnerability could
allow a malicious user to cause code to execute on another user’s computer.
Note: This security vulnerability is unlike recent computer viruses. You
will not be able to recognize incoming e-mails that contain the malicious
code. Not opening or deleting suspected e-mail will not prevent damage from
occurring. Please see “HOW TO PROTECT YOUR COMPUTER” for information on
protecting your computer.
WHO IS AFFECTED?
You may be vulnerable if you use any of the following e-mail programs on
your computer:
Microsoft Outlook Express 4.0
Microsoft Outlook Express 4.01
Microsoft Outlook Express 5.0
Microsoft Outlook Express 5.01
Microsoft Outlook 97
Microsoft Outlook 98
Microsoft Outlook 2000
To check your version of Microsoft Outlook: In Microsoft Outlook, click the
Help menu, and then click About Microsoft Outlook.
To check your version of Outlook Express: In Outlook Express, click the Help
menu, and then click About Microsoft Outlook Express.
HOW TO PROTECT YOUR COMPUTER
Upgrading your version of Internet Explorer eliminates this security
vulnerability in Microsoft Outlook and Outlook Express.
To protect your computer, install either of the following upgrades now:
Internet Explorer 5.01 Service Pack 1
Internet Explorer 5.5 on any system except Windows 2000.
Note: If you are using Windows 2000, install the Internet Explorer 5.01
Service Pack 1.
Note: Patches will be available shortly that will eliminate the
vulnerability without requiring a full version upgrade. When they are
available, Microsoft Security Bulletin (MS00-043) will be updated with this
information.
MORE INFORMATION
For a description of this security vulnerability, please see the following
Microsoft security bulletins:
· Microsoft Security Bulletin (MS00-043)
· Microsoft Security Bulletin (MS00-043): Frequently Asked Questions
E-Mail Update Tool -- If you are having problems sending and receiving
e-mail in Microsoft® Outlook® Express 5, you may be able to correct your
mail settings with our e-mail update tool.
Posted: 06/28/00 7:00 pm Pacific time
Updated: 07/19/00 5:00 pm Pacific time
Back to Top
| |
|
