[10071] in bugtraq
Re: Melissa Macro Virus
daemon@ATHENA.MIT.EDU (Rodefeld, Sonja)
Wed Mar 31 17:29:32 1999
Date: Wed, 31 Mar 1999 10:18:21 -0500
Reply-To: "Rodefeld, Sonja" <Sonja.Rodefeld@DOWJONES.COM>
From: "Rodefeld, Sonja" <Sonja.Rodefeld@DOWJONES.COM>
To: BUGTRAQ@NETSPACE.ORG
From my research on Melissa, in a nutshell, (although not totally
exhaustive by any means and please correct me if I am wrong), Melissa
infects normal.dot with the macro. The macro also disables the ability to
view that the virus macro is present in the .dot file. Once normal.dot is
infected by the original virus document (by whatever name - list.doc,
iminfected.doc), and a new document is CREATED using that template (not
OPENED) is now infected. And once this "new" document is opened by an
"outlook" person the whole thing starts all over with the new document being
sent out... If a document is OPENED and was created using an uninfected
"normal.dot" than it is "OK". I have seen instances where list.doc started
it and then it changed over to send out other documents.
The only problem I see with making normal.dot to read-only is that in many
cases users DO need to make changes to the norml.dot. So it then becomes a
functionality issue which must be balanced against security. I have in the
past made changes to normal.dot because of repetitiveness in my ocuments
(headings, footers, etc..). But I could also work around this by creating a
completely new template under a different name) to work off of and thus
never have to change the normal.dot template.
-----Original Message-----
From: Brett Glass [mailto:brett@LARIAT.ORG]
Sent: Wednesday, March 31, 1999 12:30 AM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Melissa Macro Virus
Melissa doesn't just infect NORMAL.DOT. It also infects anything you open
after you've opened the infected document. Read the code....
--Brett
At 02:10 PM 3/30/99 +0200, Bronek Kozicki wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>There is another kind of protection (and I used it sucesfully in my network
>for last few months). Just set NORMAL.DOT read only attribute. When exiting
>Word user will be warned with message "unable to save modified Normal.dot"
-
>he/she then comes to support, and then we know that we have problem. Of
>course - normal.dot is placed in user's profile. This is pretty simple kind
>of protection against macro-viruses in Word.
>
>
>Bronek Kozicki
>
>- --------------------------------------------------
>ICQ UID: 25404796 PGP KeyID: 0x4A30FA9A
>07EE 10E6 978C 6B33 5208 094E BD61 9067 4A30 FA9A
