https://wiki.preterhuman.net/index.php?title=The_Melissa_macro_virus&feed=atom&action=historyThe Melissa macro virus - Revision history2024-03-29T09:14:41ZRevision history for this page on the wikiMediaWiki 1.35.0https://wiki.preterhuman.net/index.php?title=The_Melissa_macro_virus&diff=18047&oldid=prevNetfreak at 18:41, 4 September 20202020-09-04T18:41:34Z<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 18:41, 4 September 2020</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l277" >Line 277:</td>
<td colspan="2" class="diff-lineno">Line 277:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Category:Security]]</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Category:Security]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:1999]]</ins></div></td></tr>
</table>Netfreakhttps://wiki.preterhuman.net/index.php?title=The_Melissa_macro_virus&diff=11399&oldid=prevNetfreak: Created page with "<pre> http://www.melissavirus.com/ ----------------------------------------------------------------- Date: Mon, 5 Apr 1999 05:01:14 -0700 From: secedu@all.net Subject: Infor..."2019-09-16T05:06:23Z<p>Created page with "<pre> http://www.melissavirus.com/ ----------------------------------------------------------------- Date: Mon, 5 Apr 1999 05:01:14 -0700 From: secedu@all.net Subject: Infor..."</p>
<p><b>New page</b></p><div><pre><br />
http://www.melissavirus.com/ <br />
----------------------------------------------------------------- Date: Mon, 5 <br />
Apr 1999 05:01:14 -0700 From: secedu@all.net Subject: Information Security <br />
Educators Mailing List 1999-03-30 <br />
---------------------------------------------<br />
>From: "Rob Slade, doting grandpa of Ryan and Trevor" <br />
Date: Tue, 30 Mar 1999 16:51:23 -0800<br />
<br />
The Melissa macro virus<br />
A report prepared by Robert M. Slade<br />
<br />
<br />
The following is an attempt to bring together the information about<br />
the Melissa virus. It is taken from the most reliable available<br />
sources. Additional sites have been listed at the end of the article. <br />
I have not added a copyright line to this message in order to allow it<br />
to be used as needed. I will be posting the latest updated version of<br />
this article at http://sun.soci.niu.edu/~rslade/melissa.txt and<br />
http://victoria.tc.ca/techrev/melissa.txt.<br />
<br />
<br />
The virus, generally referred to as W97M.Melissa.A (with some<br />
variations: Symantec, in a rather strained effort to be cute, seems to<br />
be calling it "Mailissa"), is a MS Word macro virus. This means that,<br />
if you don't use Word, you are safe. Completely safe. (Except for<br />
being dependent upon other people who might slow their/your mail<br />
server down. More on that later.) If you need to look at MS Word<br />
documents, there is a document viewer available (free, as it happens)<br />
>from Microsoft. This viewer will not execute macros, so it is safe<br />
>from infection.<br />
<br />
In the messages about Melissa, there have been many references to the<br />
mythical and non-existent "Good Times" virus. Note that simply<br />
reading the text of a message still cannot infect you. However, note<br />
also that many mailers, in the name of convenience, are becoming more<br />
and more automated, and much of this automation concerns running<br />
attached files for you. As Padgett Peterson, author of one of the<br />
best macro virus protection tools, has stated, "For years we have been<br />
saying you could not get a virus just by "opening E-Mail. That bug is<br />
being fixed."<br />
<br />
Melissa does not carry any specifically damaging payload. If the<br />
message is triggered there will be text added to the active document. <br />
The mailout function can cause a large number of messages to be<br />
generated very quickly, and this has caused the shutdown of a number<br />
of corporate mail servers.<br />
<br />
If you have Word set with macros disabled, then the virus will not<br />
active. However, relying on this protection is a very dangerous<br />
proposition. Previous macro viruses have also killed macro protection<br />
in Word, and this one does as well.<br />
<br />
The name "Melissa" comes from the class module that contains the<br />
virus. The name is also used in the registry flag set by the virus.<br />
<br />
The virus is spread, of course, by infected Word documents. What has<br />
made it the "bug du jour" is that it spreads *itself* via email. We<br />
have known about viruses being spread as attachments to email for a<br />
long time, and have been warning people not to execute attachments (or<br />
read Word documents sent as attachments) if you don't know where they<br />
came from. Happy99 is a good example: it has spread very widely in<br />
the past month by sending itself out as an email attachment whenever<br />
it infects a system.<br />
<br />
Melissa was originally posted to the alt.sex newsgroup. At that time<br />
it was LIST.DOC, and purported to be a list of passwords for sex<br />
sites. I have seen at least one message theorizing that Melissa is<br />
someone's ill-conceived punishment for viewers of pornography. This<br />
hypothesis is extremely unlikely. Sending a virus to a sex related<br />
newsgroup seems to be a reliable way to ensure that a number of stupid<br />
people will read and/or execute your program, and start your new virus<br />
off with a bang. (No pun intended.)<br />
<br />
If you get a message with a Melissa infected document, and do whatever<br />
you need to do to "invoke" the attachment, and have Word on your<br />
system as the default program for .doc files, Word starts up, reads in<br />
the document, and the macro is ready to start. If you have Word's<br />
"macro security" enabled (which is not the default) it will tell you<br />
that there is a macro in the document. Few people understand the<br />
import of the warning, and there is no distinction between legitimate<br />
macros and macro viruses.<br />
<br />
Because of a technical different between normal macros and "VBA<br />
objects," if you ask for a list of the macros in the document, Melissa<br />
will not show up. It will be visible if you use the Visual Basic<br />
Editor, but only after you have loaded the infected file.<br />
<br />
Assuming that the macro starts executing, several things happen.<br />
<br />
The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word<br />
9) is running. If so, it reduces the level of the security warnings<br />
on Word so that you will receive no future warnings. In Word97, the<br />
virus disables the Tools/Macro menu commands, the Confirm Conversions<br />
option, the MS Word macro virus protection, and the Save Normal<br />
Template prompt. It "upconverts" to Word 2000 quite nicely, and there<br />
disables the Tools/Macro/Security menu.<br />
<br />
Specifically, under Word 97 it blocks access to the Tools|Macro menu<br />
item, meaning you cannot check any macros. It also turns off the<br />
warnings for conversion, macro detection, and to save modifications to<br />
the NORMAL.DOT file. Under Word 2000 it blocks access to the menu<br />
item that allows you to raise your security level, and sets your macro<br />
virus detection to the lowest level, that is, none. (Since the access<br />
to the macro security menu item is blocked, I do not know how this<br />
feature can be reversed, other than programmatically or by<br />
reinstallation.)<br />
<br />
After this, the virus checks for the<br />
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key<br />
with a value of "... by Kwyjibo". (The "kwyjibo" entry seems to be a<br />
reference to the "Bart the Genius" episode of the "Simpsons"<br />
television program where this word was used to win a Scrabble match.)<br />
<br />
If this is the first time you have been infected (and this "first<br />
time" business is slightly complicated), then the macro starts up<br />
Outlook, in the background, and sends itself as an attachment to the<br />
"top" 50 names in *each* of your address lists. (Melissa will *not*<br />
use Outlook Express.) Most people have only one (the default is<br />
"Contacts"), but if you have more than one then Outlook will send more<br />
than 50 copies of the message. Outlook also sorts address lists such<br />
that mailing lists are at the top of the list, so this can get a much<br />
wider dispersal than just fifty copies of the message/virus. There<br />
was also a mention on one message about MAPI and Exchange servers,<br />
which may give access to a very large number of mailing lists. From<br />
other reports, though, people who use Exchange mail server are being<br />
particularly hard hit. Then again, people who use Exchange are<br />
probably also standardized on Word and Outlook.<br />
<br />
Some have suggested setting this registry key as a preventative<br />
measure, but note that it only prevents the mailout. It does not<br />
prevent infection. If you are infected, and the registry key is<br />
removed at a later date, then a mailout will be triggered the next<br />
time an infected document is read.<br />
<br />
Once the messages have been sent, the virus sets the Melissa flag in<br />
the registry, and looks for it to check whether or not to send itself<br />
out on subsequent infections. If the flag does not persist, then<br />
there will be subsequent mass mailings. Because the key is set in<br />
HKEY_CURRENT_USER, system administrators may have set permissions such<br />
that changes made are not saved, and thus the key will not persist. <br />
In addition, multiple users on the same machine will likely each<br />
trigger a separate mailout, and the probability of cross infection on<br />
a common machine is very high.<br />
<br />
Since it is a macro virus, it will infect your NORMAL.DOT, and will<br />
infect all documents thereafter. The macro within NORMAL.DOT is<br />
"Document_Close()" so that any document that is worked on will be<br />
infected when it is closed. When a document is infected the macro<br />
inserted is "Document_Open()" so that the macro runs when the document<br />
is opened.<br />
<br />
Note that *not* using Outlook does not protect you from the virus, it<br />
only means that the 50 copies will not be automatically sent out. If<br />
you use Word but not Outlook, you will still be infected, and may<br />
still send out infected documents on your own. The virus also will<br />
not invoke the mailout on Mac systems, but definitely can be stored<br />
and resent from Macs. At this time I do not have reliable information<br />
about whether it can reproduce on Macs (there is one report that it<br />
does), but the likelihood is that it can.<br />
<br />
Vesselin Bontchev has noted that the virus never explicitly terminates<br />
the Outlook program. It is possible that multiple copies may be<br />
invoked, and may create memory problems. However, this has not been<br />
confirmed, and is not probable given the "first time" flag that is<br />
set.<br />
<br />
The message appears to come from the person just infected, of course,<br />
since it really is sent from that machine. This means that when you<br />
get an "infected" message it will probably appear to come from someone<br />
you know and deal with. The subject line is "Important Message From:<br />
[name of sender]" with the name taken from the registration settings<br />
in Word. The test of the body states "Here is that document you asked<br />
for ... don't show anyone else ;-)". Thus, the message is easily<br />
identifiable: that subject line, the very brief message, and an<br />
attached Word document (file with a .doc extension to the filename). <br />
If you receive a message of this form *DO NOT OPEN THE DOCUMENT WITH<br />
WORD!* If you do not have alternate means or competent virus<br />
assistance, the best recourse is to delete the message, and<br />
attachment, and to send a message to the sender alerting them to the<br />
fact that they are, very likely, infected. Please note all the<br />
specifics in this paragraph, and do not start a panic by sending<br />
warnings to everyone who sends you any message with an attachment.<br />
<br />
However, please also note that, as with any Word macro virus, the<br />
source code travels with the infection, and it will be very easy to<br />
create modifications to Melissa. (The source code has already been<br />
posted to one Web site.) We will, no doubt very soon, start seeing<br />
many Melissa variants with different subjects and messages. There is<br />
already one similar Excel macro virus, called "Papa." The virus<br />
contains the text "Fred Cohen" and "all.net," leading one rather<br />
ignorant reporter to assume that Fred was the author. Dr. Cohen was<br />
the first person to do formal research into viral programs.<br />
<br />
There is a message that is displayed approximately one time in sixty. <br />
The exact trigger is if the current system time minute field matches<br />
the current system time day of the month field when the virus is run. <br />
In that case, you will "Twenty-two points, plus triple-word-score,<br />
plus fifty points for using all my letters. Game's over. I'm outta<br />
here." typed into your document. (This is another reference to the<br />
"Simpsons" episode referred to earlier.)<br />
<br />
One rather important point: the document passed is the active<br />
document, not necessarily the original posted on alt.sex. So, for<br />
example, if I am infected, and prepare some confidential information<br />
for you in Word, and send you an attachment with the Word document,<br />
containing sensitive information that neither you nor I want made<br />
public (say, the fact that Bill Gates is a jerk for having designed<br />
the technology this way), and you read it in Word, and you have<br />
Outlook on your machine, then that document will be mailed out to the<br />
top 50 people in your address book.<br />
<br />
Rather ironically, a clue to the identity of the perpetrator may have<br />
come from the identification number embedding scheme recently admitted<br />
by Microsoft as having been included with Office and Windows 98.<br />
<br />
A number of fixes for mail servers and mail filtering systems have<br />
been devised very quickly. However, note that not all of these have<br />
fully tested or debugged. One version that I saw would trap most of<br />
the warning messages about Melissa.<br />
<br />
Note that any Word document can be infected, and that an infected user<br />
may unintentionally send you an infected document. All Word<br />
documents, and indeed all Office files, should be checked for<br />
infection before you load them.<br />
<br />
<br />
Information and antiviral updates (some URLs are wrapped):<br />
<br />
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html<br />
<br />
http://www.ciac.org/ciac/bulletins/j-037.shtml<br />
<br />
ftp://ftp.complex.is/pub/macrdef2.zip<br />
<br />
http://www.complex.is/f-prot/f-prot.html<br />
<br />
http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdnn/stories/<br />
news/0,4586,2233030,00.html<br />
<br />
http://www.zdnet.com/zdnn/special/melissavirus.html<br />
<br />
http://www.symantec.com/techsupp/mailissa.html <br />
<br />
http://www.antivirus.com/vinfo/security/sa032699.htm<br />
<br />
http://www.avp.com/melissa/melissa.html<br />
<br />
http://www.microsoft.com/security/bulletins/ms99-002.asp<br />
<br />
http://www.sendmail.com/blockmelissa.html<br />
<br />
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html<br />
<br />
http://www.innosoft.com/iii/pmdf/virus-word-emergency.html<br />
<br />
http://www.sophos.com/downloads/ide/index.html#melissa <br />
<br />
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp<br />
<br />
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10302<br />
<br />
http://www.internetnews.com/bus-news/article/0,1087,3_89011,00.html<br />
<br />
http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/<br />
<br />
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10308<br />
<br />
<br />
====================== (quote inserted randomly by Pegasus Mailer)<br />
rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com<br />
AV tutorial : http://victoria.tc.ca/techrev/mnvrcv.htm<br />
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade<br />
---------------------------------------------<br />
</pre><br />
<br />
<br />
[[Category:Security]]</div>Netfreak