[10008] in bugtraq
Re: Melissa Macro Virus
daemon@ATHENA.MIT.EDU (Kuo, Jimmy)
Fri Mar 26 22:38:58 1999
Date: Fri, 26 Mar 1999 19:00:35 -0800
Reply-To: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
From: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
To: BUGTRAQ@NETSPACE.ORG
Nate Lawson does a wonderful writeup to which I will make minor
clarifications:
>Here is my analysis of how the virus works. The McAfee article aleph1
>posted neglects to mention that it infects the active document and
>Normal.dot
[Hide face]
In all the clamor over the spreading aspect, we forgot to tell people that
it's a normal macro virus in all other means. And that if you don't have
Outlook, breath calm. But if you do have Outlook, WATCH OUT!
"infects the active document" is redundant. It's infected. That's what
starts this.
>1. Check for Word security controls and disable them:
> Word 2000
> Macro.Security... = FALSE
> Word 97
> Options.ConfirmConversions = 0
> Options.VirusProtection = 0
> Options.SaveNormalPrompt = 0
>2. See if machine is already infected
> Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by
>Kwyjibo"
>3. If it wasn't already infected, go through the Outlook addressbook and
>send mail to the first 50 names
First 50 names of every addressbook.
And the kicker? Look at the first 50 names in your address books? How many
mailing lists are there?
> Subject: Important Message From <Full Name>
> Body: Here is that document you asked for... don't show anyone else
>;-)
> Attachment: itself, named "list.doc"
This time. We have discovered that it was posted to alt.sex in a file named
LIST.ZIP.
> After sending the mail, add the registry key to disable further
>infection.
Disables future mailings. Infections can happen again. But the email blast
will happen only the first time, unless you clean the registry. So we
recommend that you do not remove that element of the registry.
>4. Open the Active Document and Normal.dot and infect them with itself
>5. On the way out, check if the current day equals the current minute.
>If so, print "Twenty-two points, plus triple-word-score, plus fifty points
>for using all my letters. Game's over. I'm outta here."
>It does not appear to do anything malicious other than shutting down your
>mail server with tons of mail as users start opening the attachment. It
>appears the virus vendors have a patch out now. To avoid infection,
>disable macros when opening any Word document or just don't open the
>attachment. Thanks to Josh Siegel for sending me the code.
Good ideas.
Jimmy Kuo
Director, AV Research, Network Associates
(or as he says, McAfee)
jkuo@nai.com
