Bugtraq mailing list archives

Re: Melissa Macro Virus

From: Sonja.Rodefeld () DOWJONES COM (Rodefeld, Sonja)
Date: Wed, 31 Mar 1999 10:18:21 -0500

From my research on Melissa, in a nutshell,  (although not totally

exhaustive by any  means and please correct me if I am wrong), Melissa
infects normal.dot with the macro.  The macro also disables the ability to
view that the virus macro is present in the .dot file.  Once normal.dot is
infected by the original virus document (by whatever name - list.doc,
iminfected.doc), and a new document is CREATED using that template (not
OPENED) is now infected.  And once this "new" document is opened by an
"outlook" person the whole thing starts all over with the new document being
sent out...  If a document is OPENED and was created using an uninfected
"normal.dot" than it is "OK". I have seen instances where list.doc started
it and then it changed over to send out other documents.

The only problem I see with making normal.dot to read-only is that in many
cases users DO need to make changes to the norml.dot.  So it then becomes a
functionality issue which must be balanced against security.  I have in the
past made changes to normal.dot because of repetitiveness in my ocuments
(headings, footers, etc..). But I could also work around this by creating a
completely new template under a different name) to work off of and thus
never have to change the normal.dot template.


-----Original Message-----
From: Brett Glass [mailto:brett () LARIAT ORG]
Sent: Wednesday, March 31, 1999 12:30 AM
To: BUGTRAQ () NETSPACE ORG
Subject: Re: Melissa Macro Virus


Melissa doesn't just infect NORMAL.DOT. It also infects anything you open
after you've opened the infected document. Read the code....

--Brett

At 02:10 PM 3/30/99 +0200, Bronek Kozicki wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is another kind of protection (and I used it sucesfully in my network
for last few months). Just set NORMAL.DOT read only attribute. When exiting
Word user will be warned with message "unable to save modified Normal.dot"

he/she then comes to support, and then we know that we have problem. Of
course - normal.dot is placed in user's profile. This is pretty simple kind
of protection against macro-viruses in Word.


Bronek Kozicki

- --------------------------------------------------
ICQ UID: 25404796            PGP KeyID: 0x4A30FA9A
07EE 10E6 978C 6B33 5208  094E BD61 9067 4A30 FA9A

Current thread:

Re: Bug in xfs, (continued)
- - - Re: Bug in xfs Roman Drahtmueller (Mar 30)
    - Re: Bug in xfs Matthieu Herrb (Mar 30)
    - Re: Bug in xfs Juha Virtanen (Mar 30)
    - Re: Bug in xfs Alan Cox (Mar 31)
    - [support_feedback () us-support external hp com: Security Bulletins Patrick Oonk (Mar 31)
  - Re: Melissa Macro Virus Bronek Kozicki (Mar 30)
    - Re: Melissa Macro Virus Brett Glass (Mar 30)
    - Re: Melissa Macro Virus Dimitry Andric (Mar 31)
    - Potential vulnerability in SCO TermVision Windows 95 client JJ Gray (Mar 31)
- Re: Melissa Macro Virus Darryl Braaten (Mar 29)
- Re: Melissa Macro Virus Rodefeld, Sonja (Mar 31)