[10010] in bugtraq
Re: Melissa Macro Virus
daemon@ATHENA.MIT.EDU (Jim Reavis)
Sun Mar 28 01:05:56 1999
Date: Fri, 26 Mar 1999 20:20:13 -0800
Reply-To: Jim Reavis <jreavis@SECURITYPORTAL.COM>
From: Jim Reavis <jreavis@SECURITYPORTAL.COM>
To: BUGTRAQ@NETSPACE.ORG
The one thing I would like to add is that the virus code actually walks
through every available address list and grabs 50 recipients off of each for
a separate message, so if your Outlook client is attached to an Exchange
Server, it will hit the Global Address List and other available containers,
where it may find large distribution lists.
I will shortly have my analysis up at http://securityportal.com/
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com
-----Original Message-----
From: Kuo, Jimmy [mailto:Jimmy_Kuo@NAI.COM]
Sent: Friday, March 26, 1999 7:01 PM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Melissa Macro Virus
Nate Lawson does a wonderful writeup to which I will make
minor
clarifications:
>Here is my analysis of how the virus works. The McAfee
article aleph1
>posted neglects to mention that it infects the active
document and
>Normal.dot
[Hide face]
In all the clamor over the spreading aspect, we forgot to
tell people that
it's a normal macro virus in all other means. And that if
you don't have
Outlook, breath calm. But if you do have Outlook, WATCH
OUT!
"infects the active document" is redundant. It's infected.
That's what
starts this.
>1. Check for Word security controls and disable them:
> Word 2000
> Macro.Security... = FALSE
> Word 97
> Options.ConfirmConversions = 0
> Options.VirusProtection = 0
> Options.SaveNormalPrompt = 0
>2. See if machine is already infected
> Check HKCU\Software\Microsoft\Office\Melissa? for the
string "... by
>Kwyjibo"
>3. If it wasn't already infected, go through the Outlook
addressbook and
>send mail to the first 50 names
First 50 names of every addressbook.
And the kicker? Look at the first 50 names in your address
books? How many
mailing lists are there?
> Subject: Important Message From <Full Name>
> Body: Here is that document you asked for... don't
show anyone else
>;-)
> Attachment: itself, named "list.doc"
This time. We have discovered that it was posted to alt.sex
in a file named
LIST.ZIP.
> After sending the mail, add the registry key to disable
further
>infection.
Disables future mailings. Infections can happen again. But
the email blast
will happen only the first time, unless you clean the
registry. So we
recommend that you do not remove that element of the
registry.
>4. Open the Active Document and Normal.dot and infect them
with itself
>5. On the way out, check if the current day equals the
current minute.
>If so, print "Twenty-two points, plus triple-word-score,
plus fifty points
>for using all my letters. Game's over. I'm outta here."
>It does not appear to do anything malicious other than
shutting down your
>mail server with tons of mail as users start opening the
attachment. It
>appears the virus vendors have a patch out now. To avoid
infection,
>disable macros when opening any Word document or just don't
open the
>attachment. Thanks to Josh Siegel for sending me the code.
Good ideas.
Jimmy Kuo
Director, AV Research, Network Associates
(or as he says, McAfee)
jkuo@nai.com
