Re: Melissa Macro Virus

[jreavis () SECURITYPORTAL COM (Jim Reavis)]

The one thing I would like to add is that the virus code actually walks
through every available address list and grabs 50 recipients off of each for
a separate message, so if your Outlook client is attached to an Exchange
Server, it will hit the Global Address List and other available containers,
where it may find large distribution lists.

I will shortly have my analysis up at http://securityportal.com/

Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis () SecurityPortal com

                -----Original Message-----
                From:   Kuo, Jimmy [mailto:Jimmy_Kuo () NAI COM]
                Sent:   Friday, March 26, 1999 7:01 PM
                To:     BUGTRAQ () NETSPACE ORG
                Subject:        Re: Melissa Macro Virus

                Nate Lawson does a wonderful writeup to which I will make
minor
                clarifications:
                >Here is my analysis of how the virus works.  The McAfee
article aleph1
                >posted neglects to mention that it infects the active
document and
                >Normal.dot

                [Hide face]
                In all the clamor over the spreading aspect, we forgot to
tell people that
                it's a normal macro virus in all other means.  And that if
you don't have
                Outlook, breath calm.  But if you do have Outlook, WATCH
OUT!

                "infects the active document" is redundant.  It's infected.
That's what
                starts this.

                >1.  Check for Word security controls and disable them:
                >    Word 2000
                >        Macro.Security... = FALSE
                >    Word 97
                >        Options.ConfirmConversions = 0
                >        Options.VirusProtection = 0
                >        Options.SaveNormalPrompt = 0

                >2.  See if machine is already infected
                >    Check HKCU\Software\Microsoft\Office\Melissa? for the
string "... by
                >Kwyjibo"

                >3.  If it wasn't already infected, go through the Outlook
addressbook and
                >send mail to the first 50 names

                First 50 names of every addressbook.

                And the kicker?  Look at the first 50 names in your address
books?  How many
                mailing lists are there?

                >    Subject: Important Message From <Full Name>
                >    Body:  Here is that document you asked for... don't
show anyone else
                >;-)

                >    Attachment:  itself, named "list.doc"

                This time.  We have discovered that it was posted to alt.sex
in a file named
                LIST.ZIP.

                >    After sending the mail, add the registry key to disable
further
                >infection.

                Disables future mailings.  Infections can happen again.  But
the email blast
                will happen only the first time, unless you clean the
registry.  So we
                recommend that you do not remove that element of the
registry.

                >4.  Open the Active Document and Normal.dot and infect them
with itself

                >5.  On the way out, check if the current day equals the
current minute.
                >If so, print "Twenty-two points, plus triple-word-score,
plus fifty points
                >for using all my letters.  Game's over.  I'm outta here."

                >It does not appear to do anything malicious other than
shutting down your
                >mail server with tons of mail as users start opening the
attachment.  It
                >appears the virus vendors have a patch out now.  To avoid
infection,
                >disable macros when opening any Word document or just don't
open the
                >attachment.  Thanks to Josh Siegel for sending me the code.

                Good ideas.

                Jimmy Kuo
                Director, AV Research, Network Associates
                (or as he says, McAfee)
                jkuo () nai com