Bugtraq mailing list archives
Re: Melissa Macro Virus
From: Sonja.Rodefeld () DOWJONES COM (Rodefeld, Sonja)
Date: Wed, 31 Mar 1999 10:18:21 -0500
From my research on Melissa, in a nutshell, (although not totally
exhaustive by any means and please correct me if I am wrong), Melissa infects normal.dot with the macro. The macro also disables the ability to view that the virus macro is present in the .dot file. Once normal.dot is infected by the original virus document (by whatever name - list.doc, iminfected.doc), and a new document is CREATED using that template (not OPENED) is now infected. And once this "new" document is opened by an "outlook" person the whole thing starts all over with the new document being sent out... If a document is OPENED and was created using an uninfected "normal.dot" than it is "OK". I have seen instances where list.doc started it and then it changed over to send out other documents. The only problem I see with making normal.dot to read-only is that in many cases users DO need to make changes to the norml.dot. So it then becomes a functionality issue which must be balanced against security. I have in the past made changes to normal.dot because of repetitiveness in my ocuments (headings, footers, etc..). But I could also work around this by creating a completely new template under a different name) to work off of and thus never have to change the normal.dot template. -----Original Message----- From: Brett Glass [mailto:brett () LARIAT ORG] Sent: Wednesday, March 31, 1999 12:30 AM To: BUGTRAQ () NETSPACE ORG Subject: Re: Melissa Macro Virus Melissa doesn't just infect NORMAL.DOT. It also infects anything you open after you've opened the infected document. Read the code.... --Brett At 02:10 PM 3/30/99 +0200, Bronek Kozicki wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is another kind of protection (and I used it sucesfully in my network for last few months). Just set NORMAL.DOT read only attribute. When exiting Word user will be warned with message "unable to save modified Normal.dot"
-
he/she then comes to support, and then we know that we have problem. Of course - normal.dot is placed in user's profile. This is pretty simple kind of protection against macro-viruses in Word. Bronek Kozicki - -------------------------------------------------- ICQ UID: 25404796 PGP KeyID: 0x4A30FA9A 07EE 10E6 978C 6B33 5208 094E BD61 9067 4A30 FA9A
Current thread:
- Re: Bug in xfs, (continued)
- Re: Bug in xfs Roman Drahtmueller (Mar 30)
- Re: Bug in xfs Matthieu Herrb (Mar 30)
- Re: Bug in xfs Juha Virtanen (Mar 30)
- Re: Bug in xfs Alan Cox (Mar 31)
- [support_feedback () us-support external hp com: Security Bulletins Patrick Oonk (Mar 31)
- Re: Melissa Macro Virus Bronek Kozicki (Mar 30)
- Re: Melissa Macro Virus Brett Glass (Mar 30)
- Re: Melissa Macro Virus Dimitry Andric (Mar 31)
- Potential vulnerability in SCO TermVision Windows 95 client JJ Gray (Mar 31)
- Re: Melissa Macro Virus Darryl Braaten (Mar 29)
- Re: Melissa Macro Virus Rodefeld, Sonja (Mar 31)