Re: Melissa Macro Virus

[nate () ROOT ORG (Nate Lawson)]

Here is my analysis of how the virus works.  The McAfee article aleph1
posted neglects to mention that it infects the active document and
Normal.dot

1.  Check for Word security controls and disable them:
    Word 2000
        Macro.Security... = FALSE
    Word 97
        Options.ConfirmConversions = 0
        Options.VirusProtection = 0
        Options.SaveNormalPrompt = 0

2.  See if machine is already infected
    Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by
Kwyjibo"

3.  If it wasn't already infected, go through the Outlook addressbook and
send mail to the first 50 names
    Subject: Important Message From <Full Name>
    Body:  Here is that document you asked for... don't show anyone else
;-)
    Attachment:  itself, named "list.doc"

    After sending the mail, add the registry key to disable further
infection.

4.  Open the Active Document and Normal.dot and infect them with itself

5.  On the way out, check if the current day equals the current minute.
If so, print "Twenty-two points, plus triple-word-score, plus fifty points
for using all my letters.  Game's over.  I'm outta here."

It does not appear to do anything malicious other than shutting down your
mail server with tons of mail as users start opening the attachment.  It
appears the virus vendors have a patch out now.  To avoid infection,
disable macros when opening any Word document or just don't open the
attachment.  Thanks to Josh Siegel for sending me the code.

-Nate