|
PureBytes Links
Trading Reference Links
|
<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>CERT®/CC Frequently Asked Questions About the Melissa Virus</TITLE>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type><BASE
href=file://C:\Windows\Desktop\melissa\>
<META content="MSHTML 5.00.2014.210" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY aLink=#ddb30b bgColor=#ffffff link=#004a6b vLink=#c7aa05>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width="50%"><IMG
alt="The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University"
height=37 src="/images/cmu_sei.gif" width=239></TD>
<TD align=right vAlign=center width="50%"><IMG align=bottom
alt="Improving Security" height=19 src="/images/improvingsecurity.gif"
width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width=54><IMG alt="" height=1 src="/images/invisible.gif" width=54></TD>
<TD width="18%"><IMG alt="CERT® Coordination Center" height=18
src="/images/certcc_head.gif" width=189></TD>
<TD bgColor=#dcdcdc width="85%">
<P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial"> <A
href="/index.html">Home</A> | What's New
| FAQ | <A
href="/contents/contents.html">Site Contents</A> | <A
href="/contact_cert/contactinfo.html">Contact Us</A>
</FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
<TBODY>
<TR>
<TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
<TD align=left width="100%">
<P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial"
size=1>Alerts | <A
href="/nav/securityimprovement.html">Improving Security</A> | <A
href="/nav/training.html">Training</A> | <A
href="/nav/reports.html">Reports</A> | <A href="/research/">Survivability
Research</A> | About Us | <A
href="/ftp/">FTP Archives</A> | <A href="/nav/other_sources.html">Other
Resources</A></FONT></P></TD></TR>
<TR>
<TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
<TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
<TBODY>
<TR>
<TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1
src="/images/invisible.gif" width=47></TD>
<TD vAlign=top width="100%"></TD></TR>
<TR>
<TD vAlign=top width="100%">
<DIV align=left>
<TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225
width=100>
<TBODY>
<TR>
<TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b
face="Helvetica, Geneva, Arial"><SMALL><SMALL>
<P>Incident Notes
<P>Vulnerability Notes
<P>Security Improvement Modules
<P>Tech Tips
<P>Tools
<P><A href="/other_sources/tool_sources.html">Other sources of
tools</A>
<P>Training
<P>Alerts
</SMALL></SMALL></FONT></P></TD>
<TD rowSpan=2 vAlign=top width=3></TD></TR>
<TR>
<TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV>
<H1>Frequently Asked Questions About the Melissa Virus</H1>
<P>Last Updated: March 31, 1999</P>
<OL><B>
<LI>How many reports have we received? </B>
<P>We have first-hand reports of more than 300 organizations affected,
covering more than 100,000 individual hosts. </P><B>
<LI>Is the damage limited only to denial-of-service? </B>
<P>No. Under some circumstances, confidential documents can be leaked
without the user's knowledge. These circumstances include the use of a
single template file by more than one user, and the transmission of an
infected document to another user who has not previously been infected.
Additionally, if you fail to clean up the virus correctly and completely
(for example, by not cleaning the normal.dot file) you may expose
confidential information at a later time. </P><B>
<LI>What about Papa, and other variants? </B>
<P>We have received reports of other variants of Melissa, including one
named Papa. At the present time, we have not received a significant
number of reports of Papa outbreaks. If you practice antivirus
precautions on a regular basis, you can protect yourself against Papa
and other variants of Melissa. </P><B>
<LI>Are Macro viruses new? </B>
<P>No. According to the Department of Energy's Computer Incident
Advisory Capability (CIAC), macro viruses for Microsoft Word appeared as
early as 1995, with over 1000 variants for Word and other products by
1998. See <A
href="http://www.ciac.org/ciac/bulletins/i-023.shtml";>http://www.ciac.org/ciac/bulletins/i-023.shtml</A>
for more information. </P><B>
<LI>Why was Melissa so serious? </B>
<P>Melissa was different from other macro viruses because of the speed
at which it spread. The first confirmed reports of Melissa were received
on Friday, March 26, 1999. By Monday, March 29, it had reached more than
100,000 computers. Some sites had to take their mail systems off-line.
One site reported receiving 32,000 copies of mail messages containing
Melissa on their systems within 45 minutes. </P><B>
<LI>Are Macro viruses limited to Microsoft Word? </B>
<P>No. Macro viruses can affect other products, including other products
from Microsoft such as Excel and Powerpoint. The Papa virus, for
instance, is reported to be spread via Excel. </P><B>
<LI>Is Melissa a worm? </B>
<P>Melissa requires user interaction to propagate, therefore we do not
consider it a worm. However, Melissa can propagate quickly from one
computer to another with minimal interaction required by the user.
</P><B>
<LI>Does the Melissa virus affect MacOS? </B>
<P>The Melissa virus can infect files stored on and shared with
MacOS-based systems running Word 98. However, when the virus runs on
MacOS systems, it is not able to send electronic mail, and its
propagation will be slower on MacOS systems. </P>
<P></P><B>
<LI>Can I protect myself by marking the normal.dot file read-only? </B>
<P>At best, marking the normal.dot file read only is a stop-gap
protection. On Windows 98/95 systems and on MacOS, viruses can
circumvent the read-only protection. Instead, we recommend setting Word
to prompt the user before making any changes to the normal.dot file if
you are concerned about changes to that file. </P><B>
<LI>How can I protect myself against variants of Melissa? </B>
<P>Disable macros by default. Use caution when operating any product
when macros are enabled. Keep your antivirus products up-to-date. Be
leery of unsolicited documents or executable programs received in
electronic mail. Beware of software that comes from untrusted sources.
</P><B>
<LI>Who wrote Melissa? Why was Melissa written? What crimes has the
author committed? What is the status of the investigation? </B>
<P>The CERT Coordination Center is a technical organization. We
concentrate on the technical aspects of computer security problems. We
have no legal authority and we do not "catch the bad guys."</P><B>
<LI>Can I be affected if I don't use Outlook? </B>
<P>If it is installed, Outlook is used by the virus to send mail.
Otherwise, Melissa behaves like a normal virus: you can infect others by
carelessly sharing files. </P><B>
<LI>I use a mail package other than Outlook. Am I affected? </B>
<P>The mailer you use to read mail doesn't matter. The virus will use
Outlook, if Outlook is installed, to send copies of itself. How you
receive it doesn't matter. </P><B>
<LI>How effective are systems that look at the subject of the mail
message? </B>
<P>Systems that rely solely on pattern matching to recognize the virus
can be used as a stop gap measure to prevent the spread of a particular
virus, but will fail as soon as the virus mutates so that it no longer
matches the pattern. This can be very effective as a short-term fix, but
will not provide long-term protection.</P><B>
<LI>Is Melissa the most dangerous virus possible? </B>
<P>Melissa was relatively non-destructive and easily detected. Variants
could be significantly more destructive or stealthy. We strongly
encourage you to be aware of the risks posed by viruses and other
computer security concerns at all times. </P><B>
<LI>Are you aware of the connection between the Melissa virus and the
television show<I> The Simpsons</I>? </B>
<P>Yes.</P><B>
<LI>What products are affected? </B>
<P>Outlook 98 and Outlook 2000 for Windows platforms can be used to
propagate the virus. Microsoft Word 97 and Word 2000 for Windows and
Word 98 for Macintosh can be used by the virus to infect other
documents. Earlier versions of Word, including Word 95, cannot be used
to infect other documents, nor can Outlook Express on any platform be
used to propagate the virus via email.</P><B>
<LI>Why is it called Melissa? </B>
<P>It was named Melissa by the antivirus software vendors. </P><B>
<LI>Do you have to open the email attachment to be infected?</B>
<P>Yes. To be affected by Melissa and other, similar macro viruses, you
must open the attachment and permit macros to run. You cannot be
affected by Melissa or similar viruses merely by receiving the
email.</P><B>
<LI>If I receive the virus mailed to me by someone, should I notify
them?</B>
<P>Yes. We encourage you to notify them. More information about dealing
with incidents can be found in our Incident Reporting Guidelines at</P>
<P><A
href="/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</A></P><B>
<LI>I am a novice user and know little about computer language. I read
your virus alert and tried to determine whether or not my Word macros
were disabled. I use Office 97, professional version, and did not find a
way to disable the macro function. However, under the menu options
"Tools/Options/General" I found a checked box that says "Macro virus
protection." Will this option provide adequate protection against the
Melissa macro virus and other, similar viruses?</B>
<P>If this option is checked, Word will give you a warning any time you
open a document that has macros embedded in it. The warning will give
you the opportunity to prevent any macros from running.</P><B>
<LI>Are the Melissa macro virus and Happy99 the same thing?</B>
<P>No. While Melissa is a macro virus, Happy99.exe is a Trojan horse
program. For more information about Happy99.exe, please see Incident
Note IN-99-02 Happy99.exe Trojan Horse at</P>
<P><A
href="/incident_notes/IN-99-02.html">http://www.cert.org/incident_notes/IN-99-02.html</A></P></LI></OL>
<HR noShade width="100%">
This document is available from: <A
href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>.
<HR noShade width="100%">
<H2>CERT/CC Contact Information</H2>
<DL><B>Email:</B> <A
href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1
412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1
412-268-6989<BR><B>Postal address:</B><BR>
<DD>CERT Coordination Center<BR>Software Engineering
Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA
15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline
08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on
call for emergencies during other hours, on U.S. holidays, and on
weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from <A
href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>.
If you prefer to use DES, please call the CERT hotline for more
information.
<H4>Getting security information</H4>CERT publications and other security
information are available from our web site <A
href="http://www.cert.org/";>http://www.cert.org/</A>.
<P>To be added to our mailing list for advisories and bulletins, send
email to <A
href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A>
and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your
message.
<P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use,
disclaimers, and sponsorship information can be found in <A
href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>.
<P>* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
<HR noShade width="100%">
<B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon
University and the Software Engineering Institute is furnished on an "as
is" basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie Mellon
University does not make any warranty of any kind with respect to freedom
from patent, trademark, or copyright infringement.</B> <!-- This completes the table started in *_titlebar.html --></TD></TR></TBODY></TABLE></DIV>
<DIV align=left> </DIV>
<DIV align=left>
<DIV
align=left>=====================================================================================================</DIV>
<DIV align=left> </DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width="50%"><IMG
alt="The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University"
height=37 src="file:///C:/images/cmu_sei.gif" width=239></TD>
<TD align=right vAlign=center width="50%"><IMG align=bottom
alt="CERT®/CC Alerts" height=19 src="file:///C:/images/alerts.gif"
width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width=54><IMG alt="" height=1 src="file:///C:/images/invisible.gif"
width=54></TD>
<TD width="18%"><IMG alt="CERT® Coordination Center" height=18
src="file:///C:/images/certcc_head.gif" width=189></TD>
<TD bgColor=#dcdcdc width="85%">
<P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial"> <A
href="file:///C:/index.html">Home</A> | <A
href="file:///C:/nav/whatsnew.html">What's New</A> | <A
href="file:///C:/faq/cert_faq.html">FAQ</A> | <A
href="file:///C:/contents/contents.html">Site Contents</A> | <A
href="file:///C:/contact_cert/contactinfo.html">Contact Us</A>
</FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
<TBODY>
<TR>
<TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif"
width=47></TD>
<TD align=left width="100%">
<P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial"
size=1>Alerts | <A
href="file:///C:/nav/securityimprovement.html">Improving Security</A> | <A
href="file:///C:/nav/training.html">Training</A> | <A
href="file:///C:/nav/reports.html">Reports</A> | <A
href="file:///C:/research/">Survivability Research</A> | <A
href="file:///C:/nav/aboutcert.html">About Us</A> | <A
href="file:///C:/ftp/">FTP Archives</A> | <A
href="file:///C:/nav/other_sources.html">Other
Resources</A></FONT></P></TD></TR>
<TR>
<TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif"
width=47></TD>
<TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
<TBODY>
<TR>
<TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1
src="file:///C:/images/invisible.gif" width=47></TD>
<TD vAlign=top width="100%"></TD></TR>
<TR>
<TD vAlign=top width="100%">
<DIV align=left>
<TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225
width=100>
<TBODY>
<TR>
<TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b
face="Helvetica, Geneva, Arial"><SMALL><SMALL>
<P>Advisories
<P>Summaries
<P><A href="file:///C:/ftp/cert_bulletins/">Vendor-Initiated
Bulletins</A>
<P><A href="file:///C:/contact_cert/certmaillist.html">Subscribing
to the CERT Mailing List</A>
<P>Vulnerability Notes
<P>Incident Notes
</SMALL></SMALL></FONT></P></TD>
<TD rowSpan=2 vAlign=top width=3></TD></TR>
<TR>
<TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV><FONT
face="Helvetica, Geneva, Arial"><SMALL>
<H1>CERT<SUP>®</SUP> Advisory CA-99-04-Melissa-Macro-Virus</H1>
<P>Original issue date: Saturday March 27 1999<BR>Last Revised: 3:00 PM
GMT-5 Wednesday March 31, 1999</P>
<H3>Systems Affected</H3>
<P>
<UL>
<LI>Machines with Microsoft Word 97 or Word 2000
<LI>Any mail handling system could experience performance problems or a
denial of service as a result of the propagation of this macro virus.
</LI></UL>
<P></P>
<H3>Overview</H3>At approximately 2:00 PM GMT-5 on Friday March 26 1999 we
began receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.
<P>Our analysis of this macro virus indicates that human action (in the
form of a user opening an infected Word document) is required for this
virus to propagate. It is possible that under some mailer configurations,
a user might automatically open an infected document received in the form
of an email attachment. This macro virus is not known to exploit any new
vulnerabilities. While the primary transport mechanism of this virus is
via email, any way of transferring files can also propagate the virus.
<P>Anti-virus software vendors have called this macro virus the Melissa
macro or W97M_Melissa virus.
<P>In addition to this advisory, please see the Melissa Virus FAQ
(Frequently Asked Questions) document available at:
<P>
<DT>
<DD><A
href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>
<P>
<H1>I. Description</H1>The Melissa macro virus propagates in the form of
an email message containing an infected Word document as an attachment.
The transport message has most frequently been reported to contain the
following Subject header
<P></P>
<DT>
<DD><PRE>Subject: Important Message From <name>
</PRE>
<P>Where <name> is the full name of the user sending the message.
<P>The body of the message is a multipart MIME message containing two
sections. The first section of the message (Content-Type: text/plain)
contains the following text.
<P></P>
<DT>
<DD><PRE>Here is that document you asked for ... don't show anyone else ;-)
</PRE>
<P>The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads we are
likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created by
the victim.
<P>When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are enabled.
<P>Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the future.
Therefore, the user will not be notified when the virus is executed in the
future.
<P>The macro then checks to see if the registry key
<P></P>
<DT>
<DD><B>"HKEY_Current_User\Software\Microsoft\Office\Melissa?"</B>
<P>has a value of <B>"... by Kwyjibo"</B>. If that registry key does not
exist or does not have a value of <B>"... by Kwyjibo"</B>, the virus
proceeds to propagate itself by sending an email message in the format
described above to the first 50 entries in every Microsoft Outlook MAPI
address book readable by the user executing the macro. Keep in mind that
if any of these email addresses are mailing lists, the message will be
delivered to everyone on the mailing lists. In order to successfully
propagate, the affected machine must have Microsoft Outlook installed;
however, Outlook does not need to be the mailer used to read the message.
<P>This virus can not send mail on systems running MacOS; however, the
virus can be stored on MacOS.
<P>Next, the macro virus sets the value of the registry key to <B>"... by
Kwyjibo"</B>. Setting this registry key causes the virus to only propagate
once per session. If the registry key does not persist through sessions,
the virus will propagate as described above once per every session when a
user opens an infected document. If the registry key persists through
sessions, the virus will no longer attempt to propagate even if the
affected user opens an infected document.
<P>The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly created
Word document will be infected. Because unpatched versions of Word97 may
trust macros in templates the virus may execute without warning. For more
information please see:
<P></P>
<DT>
<DD><A
href="http://www.microsoft.com/security/bulletins/ms99-002.asp";>http://www.microsoft.com/security/bulletins/ms99-002.asp</A>
<P>Finally, if the minute of the hour matches the day of the month at this
point, the macro inserts into the current document the message "Twenty-two
points, plus triple-word-score, plus fifty points for using all my
letters. Game's over. I'm outta here."
<P>Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor Word2000
list the macro. The code is actually VBA (Visual Basic for Applications)
code associated with the "document.open" method. You can see the code by
going into the Visual Basic editor.
<P>If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would appreciate
if you would report any instance of this activity to us according to our
Incident Reporting Guidelines document available at:
<P></P>
<DT>
<DD><A
href="http://www.cert.org/tech_tips/incident_reporting.html";>http://www.cert.org/tech_tips/incident_reporting.html</A>
<H1>II. Impact</H1>
<UL>
<LI>Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any documents
referencing this template to be infected with this macro virus. If the
infected document is opened by another user, the document, including the
macro virus, will propagate. Note that this could cause the user's
document to be propagated instead of the original document, and thereby
leak sensitive information.
<P></P>
<LI>Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with their
mail servers as a result of the propagation of this virus. </LI></UL>
<H1>III. Solutions</H1>
<UL>
<LI>
<H2>Block messages with the signature of this virus at your mail
transfer agents or other central point of control.</H2>
<UL>
<LI>
<H3>With Sendmail</H3>
<P>Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain the
Melissa virus. This information is available from the follow URL:
<P>
<DT>
<DD><A
href="http://www.sendmail.com/blockmelissa.html";>http://www.sendmail.com/blockmelissa.html</A>
<P></P></DD>
<LI>
<H3>With John Hardin's Procmail security filter package</H3>More
information is available from:
<P>
<DT>
<DD><A
href="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html";>ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html</A>
<P></P></DD>
<LI>
<H3>With Innosoft's PMDF</H3>More information is available from:
<P>
<DT>
<DD><A
href="http://www.innosoft.com/iii/pmdf/virus-word-emergency.html";>http://www.innosoft.com/iii/pmdf/virus-word-emergency.html</A>
<P></P></DD></LI></UL>
<LI>
<H2>Utilize virus scanners</H2>Most virus scanning tools will detect and
clean macro viruses. In order to detect and clean current viruses you
must keep your scanning tools up to date with the latest definition
files.
<P>
<UL>
<LI>
<H3>Computer Associates</H3>Virus signature versions that detect and
cure melissa virus.
<P>
<TABLE>
<TBODY>
<TR>
<TD>Windows NT 3.x & 4.x</TD>
<TD>4.19d</TD></TR>
<TR>
<TD>Windows 95</TD>
<TD>4.19e</TD></TR>
<TR>
<TD>Windows 98</TD>
<TD>4.19e</TD></TR>
<TR>
<TD>Windows 3.1</TD>
<TD>4.19e</TD></TR>
<TR>
<TD>Netware 3.x, 4.x & 5.0</TD>
<TD>4.19e</TD></TR></TBODY></TABLE>
<P>Any of the above virus signatures files can be downloaded at:
<DT>
<DD><A
href="http://www.support.cai.com/";>http://www.support.cai.com</A>
<P></P></DD>
<LI>
<H3>McAfee / Network Associates</H3>
<DT>
<DD><A
href="http://vil.mcafee.com/vil/vm10118.asp";>http://vil.mcafee.com/vil/vm10118.asp</A>
<DD><A
href="http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp";>http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp</A>
<P></P></DD>
<LI>
<H3>Sophos</H3>
<DT>
<DD><A
href="http://www.sophos.com/downloads/ide/index.html#melissa";>http://www.sophos.com/downloads/ide/index.html#melissa</A>
<P></P></DD>
<LI>
<H3>Symantec</H3>
<DT>
<DD><A
href="http://www.symantec.com/avcenter/venc/data/mailissa.html";>http://www.symantec.com/avcenter/venc/data/mailissa.html</A>
<P></P></DD>
<LI>
<H3>Trend Micro</H3>
<DT>
<DD><A
href="http://housecall.antivirus.com/smex_housecall/technotes.html";>http://housecall.antivirus.com/smex_housecall/technotes.html</A>
<P>
<P></P></DD></LI></UL>
<LI>
<H2>Encourage users at your site to disable macros in Microsoft
Word</H2>Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage users to disable
macros in any product that contains a macro language as this sort of
problem is not limited to Microsoft Word.
<P>In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a security level
variable similar to Internet Explorer (click on Tools/Macro/Security and
choose High, Medium, or Low). In that case, 'High' silently ignores the
VBA code, Medium prompts in the way Word97 does to let you enable or
disable the VBA code, and 'Low' just runs it.
<P>Word2000 supports Authenticode on the VB code. In the 'High' setting
you can specify sites that you trust and code from those sites will run.
<P></P>
<LI>
<H2>General protection from Word Macro Viruses</H2>For information about
macro viruses in general, we encourage you to review the document "Free
Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at.
<P>
<DT>
<DD><A
href="http://www.nai.com/services/support/vr/free.asp";>http://www.nai.com/services/support/vr/free.asp</A>
<P></P></DD></LI></UL>
<H3>Additional Information</H3>
<UL>
<LI>For more information about the Melissa virus please see the Melissa
Virus FAQ (Frequently Asked Questions) document available at:
<P>
<DT>
<DD><A
href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>
<P></P></DD>
<LI>We have received a number of reports from people confusing the
Happy99.exe Trojan Horse with the Melissa virus. For more information
about Happy99.exe please see:
<DT>
<DD><A
href="http://www.cert.org/incident_notes/IN-99-02.html";>http://www.cert.org/incident_notes/IN-99-02.html</A>
<P></P></DD>
<LI>The Department of Energy's Computer Incident Advisory Capability
(CIAC) has published several documents that you may wish to examine.
These are available at available at
<P>
<DT>
<DD><A
href="http://www.ciac.org/ciac/bulletins/j-037.shtml";>http://www.ciac.org/ciac/bulletins/j-037.shtml</A>
<BR>
<DT>
<DD><A
href="http://ciac.llnl.gov/ciac/bulletins/i-023.shtml";>http://ciac.llnl.gov/ciac/bulletins/i-023.shtml</A>
<P></P></DD>
<LI>Microsoft Corporation has published information about this macro
virus. Their document is available from:
<P>
<DT>
<DD><A
href="http://officeupdate.microsoft.com/articles/macroalert.htm";>http://officeupdate.microsoft.com/articles/macroalert.htm</A>
<P></P></DD></LI></UL>
<H3>Acknowledgements</H3>We would like to thank Jimmy Kuo of Network
Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader
of Trend Micro, Jason Garms and Karan Khanna of Microsoft, Ned Freed of
Innosoft, and John Hardin for providing information used in this advisory.
<P>Additionally we would like to thank the many sites who reported this
activity.
<P>
<HR noShade width="100%">
This document is available from: <A
href="http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html";>http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html</A>.
<HR noShade width="100%">
<H2>CERT/CC Contact Information</H2>
<DL><B>Email:</B> <A
href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1
412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1
412-268-6989<BR><B>Postal address:</B><BR>
<DD>CERT Coordination Center<BR>Software Engineering
Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA
15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline
08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on
call for emergencies during other hours, on U.S. holidays, and on
weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from <A
href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>.
If you prefer to use DES, please call the CERT hotline for more
information.
<H4>Getting security information</H4>CERT publications and other security
information are available from our web site <A
href="http://www.cert.org/";>http://www.cert.org/</A>.
<P>To be added to our mailing list for advisories and bulletins, send
email to <A
href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A>
and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your
message.
<P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use,
disclaimers, and sponsorship information can be found in <A
href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>.
<P>* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
<HR noShade width="100%">
<B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon
University and the Software Engineering Institute is furnished on an "as
is" basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie Mellon
University does not make any warranty of any kind with respect to freedom
from patent, trademark, or copyright infringement.</B>
<HR width="100%">
Revision History
<P>
<TABLE>
<TBODY>
<TR>
<TD>March 28, 1999:</TD>
<TD>Changed the reference to the sendmail patches from ftp.cert.org
to www.sendmail.com. Added information for Innosoft, Sophos, and
John Hardin's procmail filter kit.</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Formatting changes</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Added information for Computer Associates</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Fixed a broken link</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Added a link to information at Microsoft, added a link to
information about Happy99.exe, added information about MacOS, and
clairfied that only MS Outlook MAPI address books are
involved.</TD></TR>
<TR>
<TD>March 31, 1999:</TD>
<TD>Added links to the Melissa FAQ</TD></TR></TBODY></TABLE><!-- This completes the table started in *_titlebar.html --></P></DD></SMALL></FONT></TD></TR></TBODY></TABLE></DIV></DIV></BODY></HTML>
</x-html>From ???@??? Mon Apr 05 06:39:32 1999
Received: from listserv.equis.com (204.246.137.2)
by mail02.rapidsite.net (RS ver 1.0.2) with SMTP id 3110
for <neal@xxxxxxxxxxxxx>; Mon, 5 Apr 1999 09:27:17 -0400 (EDT)
Received: (from majordom@xxxxxxxxx)
by listserv.equis.com (8.8.7/8.8.7) id UAA03471
for metastock-outgoing; Mon, 5 Apr 1999 20:37:10 -0600
X-Authentication-Warning: listserv.equis.com: majordom set sender to owner-metastock@xxxxxxxxxxxxx using -f
Received: from freeze.metastock.com (freeze.metastock.com [204.246.137.5])
by listserv.equis.com (8.8.7/8.8.7) with ESMTP id UAA03468
for <metastock@xxxxxxxxxxxxxxxxxx>; Mon, 5 Apr 1999 20:37:07 -0600
Received: from smtp02.wxs.nl (smtp02.wxs.nl [195.121.6.60])
by freeze.metastock.com (8.8.5/8.8.5) with ESMTP id GAA01193
for <metastock@xxxxxxxxxxxxx>; Mon, 5 Apr 1999 06:29:21 -0600 (MDT)
Received: from escom ([195.121.39.2]) by smtp02.wxs.nl
(Netscape Messaging Server 3.61) with SMTP id AAA1AB7
for <metastock@xxxxxxxxxxxxx>; Mon, 5 Apr 1999 14:17:00 +0200
Message-ID: <001b01be7f5d$b4797f60$022779c3@xxxxx>
From: "A.J. Maas" <anthmaas@xxxxxx>
To: "Metastock-List" <metastock@xxxxxxxxxxxxx>
Subject: Re: OFF TOPIC Melissa Virus Originator Apprehended - an update
Date: Mon, 5 Apr 1999 13:30:09 +0200
Organization: Ms-IRB
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0013_01BE7F68.6F858420"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Sender: owner-metastock@xxxxxxxxxxxxx
Precedence: bulk
Reply-To: metastock@xxxxxxxxxxxxx
X-Loop-Detect: 1
X-UIDL: 5f6f1a7be6f56f4a575cb8db2cb63d5e.10
<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>CERT®/CC Frequently Asked Questions About the Melissa Virus</TITLE>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type><BASE
href=file://C:\Windows\Desktop\melissa\>
<META content="MSHTML 5.00.2014.210" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY aLink=#ddb30b bgColor=#ffffff link=#004a6b vLink=#c7aa05>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width="50%"><IMG
alt="The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University"
height=37 src="/images/cmu_sei.gif" width=239></TD>
<TD align=right vAlign=center width="50%"><IMG align=bottom
alt="Improving Security" height=19 src="/images/improvingsecurity.gif"
width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width=54><IMG alt="" height=1 src="/images/invisible.gif" width=54></TD>
<TD width="18%"><IMG alt="CERT® Coordination Center" height=18
src="/images/certcc_head.gif" width=189></TD>
<TD bgColor=#dcdcdc width="85%">
<P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial"> <A
href="/index.html">Home</A> | What's New
| FAQ | <A
href="/contents/contents.html">Site Contents</A> | <A
href="/contact_cert/contactinfo.html">Contact Us</A>
</FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
<TBODY>
<TR>
<TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
<TD align=left width="100%">
<P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial"
size=1>Alerts | <A
href="/nav/securityimprovement.html">Improving Security</A> | <A
href="/nav/training.html">Training</A> | <A
href="/nav/reports.html">Reports</A> | <A href="/research/">Survivability
Research</A> | About Us | <A
href="/ftp/">FTP Archives</A> | <A href="/nav/other_sources.html">Other
Resources</A></FONT></P></TD></TR>
<TR>
<TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
<TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
<TBODY>
<TR>
<TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1
src="/images/invisible.gif" width=47></TD>
<TD vAlign=top width="100%"></TD></TR>
<TR>
<TD vAlign=top width="100%">
<DIV align=left>
<TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225
width=100>
<TBODY>
<TR>
<TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b
face="Helvetica, Geneva, Arial"><SMALL><SMALL>
<P>Incident Notes
<P>Vulnerability Notes
<P>Security Improvement Modules
<P>Tech Tips
<P>Tools
<P><A href="/other_sources/tool_sources.html">Other sources of
tools</A>
<P>Training
<P>Alerts
</SMALL></SMALL></FONT></P></TD>
<TD rowSpan=2 vAlign=top width=3></TD></TR>
<TR>
<TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV>
<H1>Frequently Asked Questions About the Melissa Virus</H1>
<P>Last Updated: March 31, 1999</P>
<OL><B>
<LI>How many reports have we received? </B>
<P>We have first-hand reports of more than 300 organizations affected,
covering more than 100,000 individual hosts. </P><B>
<LI>Is the damage limited only to denial-of-service? </B>
<P>No. Under some circumstances, confidential documents can be leaked
without the user's knowledge. These circumstances include the use of a
single template file by more than one user, and the transmission of an
infected document to another user who has not previously been infected.
Additionally, if you fail to clean up the virus correctly and completely
(for example, by not cleaning the normal.dot file) you may expose
confidential information at a later time. </P><B>
<LI>What about Papa, and other variants? </B>
<P>We have received reports of other variants of Melissa, including one
named Papa. At the present time, we have not received a significant
number of reports of Papa outbreaks. If you practice antivirus
precautions on a regular basis, you can protect yourself against Papa
and other variants of Melissa. </P><B>
<LI>Are Macro viruses new? </B>
<P>No. According to the Department of Energy's Computer Incident
Advisory Capability (CIAC), macro viruses for Microsoft Word appeared as
early as 1995, with over 1000 variants for Word and other products by
1998. See <A
href="http://www.ciac.org/ciac/bulletins/i-023.shtml";>http://www.ciac.org/ciac/bulletins/i-023.shtml</A>
for more information. </P><B>
<LI>Why was Melissa so serious? </B>
<P>Melissa was different from other macro viruses because of the speed
at which it spread. The first confirmed reports of Melissa were received
on Friday, March 26, 1999. By Monday, March 29, it had reached more than
100,000 computers. Some sites had to take their mail systems off-line.
One site reported receiving 32,000 copies of mail messages containing
Melissa on their systems within 45 minutes. </P><B>
<LI>Are Macro viruses limited to Microsoft Word? </B>
<P>No. Macro viruses can affect other products, including other products
from Microsoft such as Excel and Powerpoint. The Papa virus, for
instance, is reported to be spread via Excel. </P><B>
<LI>Is Melissa a worm? </B>
<P>Melissa requires user interaction to propagate, therefore we do not
consider it a worm. However, Melissa can propagate quickly from one
computer to another with minimal interaction required by the user.
</P><B>
<LI>Does the Melissa virus affect MacOS? </B>
<P>The Melissa virus can infect files stored on and shared with
MacOS-based systems running Word 98. However, when the virus runs on
MacOS systems, it is not able to send electronic mail, and its
propagation will be slower on MacOS systems. </P>
<P></P><B>
<LI>Can I protect myself by marking the normal.dot file read-only? </B>
<P>At best, marking the normal.dot file read only is a stop-gap
protection. On Windows 98/95 systems and on MacOS, viruses can
circumvent the read-only protection. Instead, we recommend setting Word
to prompt the user before making any changes to the normal.dot file if
you are concerned about changes to that file. </P><B>
<LI>How can I protect myself against variants of Melissa? </B>
<P>Disable macros by default. Use caution when operating any product
when macros are enabled. Keep your antivirus products up-to-date. Be
leery of unsolicited documents or executable programs received in
electronic mail. Beware of software that comes from untrusted sources.
</P><B>
<LI>Who wrote Melissa? Why was Melissa written? What crimes has the
author committed? What is the status of the investigation? </B>
<P>The CERT Coordination Center is a technical organization. We
concentrate on the technical aspects of computer security problems. We
have no legal authority and we do not "catch the bad guys."</P><B>
<LI>Can I be affected if I don't use Outlook? </B>
<P>If it is installed, Outlook is used by the virus to send mail.
Otherwise, Melissa behaves like a normal virus: you can infect others by
carelessly sharing files. </P><B>
<LI>I use a mail package other than Outlook. Am I affected? </B>
<P>The mailer you use to read mail doesn't matter. The virus will use
Outlook, if Outlook is installed, to send copies of itself. How you
receive it doesn't matter. </P><B>
<LI>How effective are systems that look at the subject of the mail
message? </B>
<P>Systems that rely solely on pattern matching to recognize the virus
can be used as a stop gap measure to prevent the spread of a particular
virus, but will fail as soon as the virus mutates so that it no longer
matches the pattern. This can be very effective as a short-term fix, but
will not provide long-term protection.</P><B>
<LI>Is Melissa the most dangerous virus possible? </B>
<P>Melissa was relatively non-destructive and easily detected. Variants
could be significantly more destructive or stealthy. We strongly
encourage you to be aware of the risks posed by viruses and other
computer security concerns at all times. </P><B>
<LI>Are you aware of the connection between the Melissa virus and the
television show<I> The Simpsons</I>? </B>
<P>Yes.</P><B>
<LI>What products are affected? </B>
<P>Outlook 98 and Outlook 2000 for Windows platforms can be used to
propagate the virus. Microsoft Word 97 and Word 2000 for Windows and
Word 98 for Macintosh can be used by the virus to infect other
documents. Earlier versions of Word, including Word 95, cannot be used
to infect other documents, nor can Outlook Express on any platform be
used to propagate the virus via email.</P><B>
<LI>Why is it called Melissa? </B>
<P>It was named Melissa by the antivirus software vendors. </P><B>
<LI>Do you have to open the email attachment to be infected?</B>
<P>Yes. To be affected by Melissa and other, similar macro viruses, you
must open the attachment and permit macros to run. You cannot be
affected by Melissa or similar viruses merely by receiving the
email.</P><B>
<LI>If I receive the virus mailed to me by someone, should I notify
them?</B>
<P>Yes. We encourage you to notify them. More information about dealing
with incidents can be found in our Incident Reporting Guidelines at</P>
<P><A
href="/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</A></P><B>
<LI>I am a novice user and know little about computer language. I read
your virus alert and tried to determine whether or not my Word macros
were disabled. I use Office 97, professional version, and did not find a
way to disable the macro function. However, under the menu options
"Tools/Options/General" I found a checked box that says "Macro virus
protection." Will this option provide adequate protection against the
Melissa macro virus and other, similar viruses?</B>
<P>If this option is checked, Word will give you a warning any time you
open a document that has macros embedded in it. The warning will give
you the opportunity to prevent any macros from running.</P><B>
<LI>Are the Melissa macro virus and Happy99 the same thing?</B>
<P>No. While Melissa is a macro virus, Happy99.exe is a Trojan horse
program. For more information about Happy99.exe, please see Incident
Note IN-99-02 Happy99.exe Trojan Horse at</P>
<P><A
href="/incident_notes/IN-99-02.html">http://www.cert.org/incident_notes/IN-99-02.html</A></P></LI></OL>
<HR noShade width="100%">
This document is available from: <A
href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>.
<HR noShade width="100%">
<H2>CERT/CC Contact Information</H2>
<DL><B>Email:</B> <A
href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1
412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1
412-268-6989<BR><B>Postal address:</B><BR>
<DD>CERT Coordination Center<BR>Software Engineering
Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA
15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline
08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on
call for emergencies during other hours, on U.S. holidays, and on
weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from <A
href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>.
If you prefer to use DES, please call the CERT hotline for more
information.
<H4>Getting security information</H4>CERT publications and other security
information are available from our web site <A
href="http://www.cert.org/";>http://www.cert.org/</A>.
<P>To be added to our mailing list for advisories and bulletins, send
email to <A
href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A>
and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your
message.
<P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use,
disclaimers, and sponsorship information can be found in <A
href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>.
<P>* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
<HR noShade width="100%">
<B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon
University and the Software Engineering Institute is furnished on an "as
is" basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie Mellon
University does not make any warranty of any kind with respect to freedom
from patent, trademark, or copyright infringement.</B> <!-- This completes the table started in *_titlebar.html --></TD></TR></TBODY></TABLE></DIV>
<DIV align=left> </DIV>
<DIV align=left>
<DIV
align=left>=====================================================================================================</DIV>
<DIV align=left> </DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width="50%"><IMG
alt="The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University"
height=37 src="file:///C:/images/cmu_sei.gif" width=239></TD>
<TD align=right vAlign=center width="50%"><IMG align=bottom
alt="CERT®/CC Alerts" height=19 src="file:///C:/images/alerts.gif"
width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
<TBODY>
<TR>
<TD width=54><IMG alt="" height=1 src="file:///C:/images/invisible.gif"
width=54></TD>
<TD width="18%"><IMG alt="CERT® Coordination Center" height=18
src="file:///C:/images/certcc_head.gif" width=189></TD>
<TD bgColor=#dcdcdc width="85%">
<P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial"> <A
href="file:///C:/index.html">Home</A> | <A
href="file:///C:/nav/whatsnew.html">What's New</A> | <A
href="file:///C:/faq/cert_faq.html">FAQ</A> | <A
href="file:///C:/contents/contents.html">Site Contents</A> | <A
href="file:///C:/contact_cert/contactinfo.html">Contact Us</A>
</FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
<TBODY>
<TR>
<TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif"
width=47></TD>
<TD align=left width="100%">
<P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial"
size=1>Alerts | <A
href="file:///C:/nav/securityimprovement.html">Improving Security</A> | <A
href="file:///C:/nav/training.html">Training</A> | <A
href="file:///C:/nav/reports.html">Reports</A> | <A
href="file:///C:/research/">Survivability Research</A> | <A
href="file:///C:/nav/aboutcert.html">About Us</A> | <A
href="file:///C:/ftp/">FTP Archives</A> | <A
href="file:///C:/nav/other_sources.html">Other
Resources</A></FONT></P></TD></TR>
<TR>
<TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif"
width=47></TD>
<TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
<TBODY>
<TR>
<TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1
src="file:///C:/images/invisible.gif" width=47></TD>
<TD vAlign=top width="100%"></TD></TR>
<TR>
<TD vAlign=top width="100%">
<DIV align=left>
<TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225
width=100>
<TBODY>
<TR>
<TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b
face="Helvetica, Geneva, Arial"><SMALL><SMALL>
<P>Advisories
<P>Summaries
<P><A href="file:///C:/ftp/cert_bulletins/">Vendor-Initiated
Bulletins</A>
<P><A href="file:///C:/contact_cert/certmaillist.html">Subscribing
to the CERT Mailing List</A>
<P>Vulnerability Notes
<P>Incident Notes
</SMALL></SMALL></FONT></P></TD>
<TD rowSpan=2 vAlign=top width=3></TD></TR>
<TR>
<TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV><FONT
face="Helvetica, Geneva, Arial"><SMALL>
<H1>CERT<SUP>®</SUP> Advisory CA-99-04-Melissa-Macro-Virus</H1>
<P>Original issue date: Saturday March 27 1999<BR>Last Revised: 3:00 PM
GMT-5 Wednesday March 31, 1999</P>
<H3>Systems Affected</H3>
<P>
<UL>
<LI>Machines with Microsoft Word 97 or Word 2000
<LI>Any mail handling system could experience performance problems or a
denial of service as a result of the propagation of this macro virus.
</LI></UL>
<P></P>
<H3>Overview</H3>At approximately 2:00 PM GMT-5 on Friday March 26 1999 we
began receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack
affecting a variety of sites.
<P>Our analysis of this macro virus indicates that human action (in the
form of a user opening an infected Word document) is required for this
virus to propagate. It is possible that under some mailer configurations,
a user might automatically open an infected document received in the form
of an email attachment. This macro virus is not known to exploit any new
vulnerabilities. While the primary transport mechanism of this virus is
via email, any way of transferring files can also propagate the virus.
<P>Anti-virus software vendors have called this macro virus the Melissa
macro or W97M_Melissa virus.
<P>In addition to this advisory, please see the Melissa Virus FAQ
(Frequently Asked Questions) document available at:
<P>
<DT>
<DD><A
href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>
<P>
<H1>I. Description</H1>The Melissa macro virus propagates in the form of
an email message containing an infected Word document as an attachment.
The transport message has most frequently been reported to contain the
following Subject header
<P></P>
<DT>
<DD><PRE>Subject: Important Message From <name>
</PRE>
<P>Where <name> is the full name of the user sending the message.
<P>The body of the message is a multipart MIME message containing two
sections. The first section of the message (Content-Type: text/plain)
contains the following text.
<P></P>
<DT>
<DD><PRE>Here is that document you asked for ... don't show anyone else ;-)
</PRE>
<P>The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads we are
likely to see documents with other names. In fact, under certain
conditions the virus may generate attachments with documents created by
the victim.
<P>When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are enabled.
<P>Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the future.
Therefore, the user will not be notified when the virus is executed in the
future.
<P>The macro then checks to see if the registry key
<P></P>
<DT>
<DD><B>"HKEY_Current_User\Software\Microsoft\Office\Melissa?"</B>
<P>has a value of <B>"... by Kwyjibo"</B>. If that registry key does not
exist or does not have a value of <B>"... by Kwyjibo"</B>, the virus
proceeds to propagate itself by sending an email message in the format
described above to the first 50 entries in every Microsoft Outlook MAPI
address book readable by the user executing the macro. Keep in mind that
if any of these email addresses are mailing lists, the message will be
delivered to everyone on the mailing lists. In order to successfully
propagate, the affected machine must have Microsoft Outlook installed;
however, Outlook does not need to be the mailer used to read the message.
<P>This virus can not send mail on systems running MacOS; however, the
virus can be stored on MacOS.
<P>Next, the macro virus sets the value of the registry key to <B>"... by
Kwyjibo"</B>. Setting this registry key causes the virus to only propagate
once per session. If the registry key does not persist through sessions,
the virus will propagate as described above once per every session when a
user opens an infected document. If the registry key persists through
sessions, the virus will no longer attempt to propagate even if the
affected user opens an infected document.
<P>The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly created
Word document will be infected. Because unpatched versions of Word97 may
trust macros in templates the virus may execute without warning. For more
information please see:
<P></P>
<DT>
<DD><A
href="http://www.microsoft.com/security/bulletins/ms99-002.asp";>http://www.microsoft.com/security/bulletins/ms99-002.asp</A>
<P>Finally, if the minute of the hour matches the day of the month at this
point, the macro inserts into the current document the message "Twenty-two
points, plus triple-word-score, plus fifty points for using all my
letters. Game's over. I'm outta here."
<P>Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor Word2000
list the macro. The code is actually VBA (Visual Basic for Applications)
code associated with the "document.open" method. You can see the code by
going into the Visual Basic editor.
<P>If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would appreciate
if you would report any instance of this activity to us according to our
Incident Reporting Guidelines document available at:
<P></P>
<DT>
<DD><A
href="http://www.cert.org/tech_tips/incident_reporting.html";>http://www.cert.org/tech_tips/incident_reporting.html</A>
<H1>II. Impact</H1>
<UL>
<LI>Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any documents
referencing this template to be infected with this macro virus. If the
infected document is opened by another user, the document, including the
macro virus, will propagate. Note that this could cause the user's
document to be propagated instead of the original document, and thereby
leak sensitive information.
<P></P>
<LI>Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with their
mail servers as a result of the propagation of this virus. </LI></UL>
<H1>III. Solutions</H1>
<UL>
<LI>
<H2>Block messages with the signature of this virus at your mail
transfer agents or other central point of control.</H2>
<UL>
<LI>
<H3>With Sendmail</H3>
<P>Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain the
Melissa virus. This information is available from the follow URL:
<P>
<DT>
<DD><A
href="http://www.sendmail.com/blockmelissa.html";>http://www.sendmail.com/blockmelissa.html</A>
<P></P></DD>
<LI>
<H3>With John Hardin's Procmail security filter package</H3>More
information is available from:
<P>
<DT>
<DD><A
href="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html";>ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html</A>
<P></P></DD>
<LI>
<H3>With Innosoft's PMDF</H3>More information is available from:
<P>
<DT>
<DD><A
href="http://www.innosoft.com/iii/pmdf/virus-word-emergency.html";>http://www.innosoft.com/iii/pmdf/virus-word-emergency.html</A>
<P></P></DD></LI></UL>
<LI>
<H2>Utilize virus scanners</H2>Most virus scanning tools will detect and
clean macro viruses. In order to detect and clean current viruses you
must keep your scanning tools up to date with the latest definition
files.
<P>
<UL>
<LI>
<H3>Computer Associates</H3>Virus signature versions that detect and
cure melissa virus.
<P>
<TABLE>
<TBODY>
<TR>
<TD>Windows NT 3.x & 4.x</TD>
<TD>4.19d</TD></TR>
<TR>
<TD>Windows 95</TD>
<TD>4.19e</TD></TR>
<TR>
<TD>Windows 98</TD>
<TD>4.19e</TD></TR>
<TR>
<TD>Windows 3.1</TD>
<TD>4.19e</TD></TR>
<TR>
<TD>Netware 3.x, 4.x & 5.0</TD>
<TD>4.19e</TD></TR></TBODY></TABLE>
<P>Any of the above virus signatures files can be downloaded at:
<DT>
<DD><A
href="http://www.support.cai.com/";>http://www.support.cai.com</A>
<P></P></DD>
<LI>
<H3>McAfee / Network Associates</H3>
<DT>
<DD><A
href="http://vil.mcafee.com/vil/vm10118.asp";>http://vil.mcafee.com/vil/vm10118.asp</A>
<DD><A
href="http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp";>http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp</A>
<P></P></DD>
<LI>
<H3>Sophos</H3>
<DT>
<DD><A
href="http://www.sophos.com/downloads/ide/index.html#melissa";>http://www.sophos.com/downloads/ide/index.html#melissa</A>
<P></P></DD>
<LI>
<H3>Symantec</H3>
<DT>
<DD><A
href="http://www.symantec.com/avcenter/venc/data/mailissa.html";>http://www.symantec.com/avcenter/venc/data/mailissa.html</A>
<P></P></DD>
<LI>
<H3>Trend Micro</H3>
<DT>
<DD><A
href="http://housecall.antivirus.com/smex_housecall/technotes.html";>http://housecall.antivirus.com/smex_housecall/technotes.html</A>
<P>
<P></P></DD></LI></UL>
<LI>
<H2>Encourage users at your site to disable macros in Microsoft
Word</H2>Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage users to disable
macros in any product that contains a macro language as this sort of
problem is not limited to Microsoft Word.
<P>In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a security level
variable similar to Internet Explorer (click on Tools/Macro/Security and
choose High, Medium, or Low). In that case, 'High' silently ignores the
VBA code, Medium prompts in the way Word97 does to let you enable or
disable the VBA code, and 'Low' just runs it.
<P>Word2000 supports Authenticode on the VB code. In the 'High' setting
you can specify sites that you trust and code from those sites will run.
<P></P>
<LI>
<H2>General protection from Word Macro Viruses</H2>For information about
macro viruses in general, we encourage you to review the document "Free
Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at.
<P>
<DT>
<DD><A
href="http://www.nai.com/services/support/vr/free.asp";>http://www.nai.com/services/support/vr/free.asp</A>
<P></P></DD></LI></UL>
<H3>Additional Information</H3>
<UL>
<LI>For more information about the Melissa virus please see the Melissa
Virus FAQ (Frequently Asked Questions) document available at:
<P>
<DT>
<DD><A
href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>
<P></P></DD>
<LI>We have received a number of reports from people confusing the
Happy99.exe Trojan Horse with the Melissa virus. For more information
about Happy99.exe please see:
<DT>
<DD><A
href="http://www.cert.org/incident_notes/IN-99-02.html";>http://www.cert.org/incident_notes/IN-99-02.html</A>
<P></P></DD>
<LI>The Department of Energy's Computer Incident Advisory Capability
(CIAC) has published several documents that you may wish to examine.
These are available at available at
<P>
<DT>
<DD><A
href="http://www.ciac.org/ciac/bulletins/j-037.shtml";>http://www.ciac.org/ciac/bulletins/j-037.shtml</A>
<BR>
<DT>
<DD><A
href="http://ciac.llnl.gov/ciac/bulletins/i-023.shtml";>http://ciac.llnl.gov/ciac/bulletins/i-023.shtml</A>
<P></P></DD>
<LI>Microsoft Corporation has published information about this macro
virus. Their document is available from:
<P>
<DT>
<DD><A
href="http://officeupdate.microsoft.com/articles/macroalert.htm";>http://officeupdate.microsoft.com/articles/macroalert.htm</A>
<P></P></DD></LI></UL>
<H3>Acknowledgements</H3>We would like to thank Jimmy Kuo of Network
Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader
of Trend Micro, Jason Garms and Karan Khanna of Microsoft, Ned Freed of
Innosoft, and John Hardin for providing information used in this advisory.
<P>Additionally we would like to thank the many sites who reported this
activity.
<P>
<HR noShade width="100%">
This document is available from: <A
href="http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html";>http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html</A>.
<HR noShade width="100%">
<H2>CERT/CC Contact Information</H2>
<DL><B>Email:</B> <A
href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1
412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1
412-268-6989<BR><B>Postal address:</B><BR>
<DD>CERT Coordination Center<BR>Software Engineering
Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA
15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline
08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on
call for emergencies during other hours, on U.S. holidays, and on
weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from <A
href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>.
If you prefer to use DES, please call the CERT hotline for more
information.
<H4>Getting security information</H4>CERT publications and other security
information are available from our web site <A
href="http://www.cert.org/";>http://www.cert.org/</A>.
<P>To be added to our mailing list for advisories and bulletins, send
email to <A
href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A>
and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your
message.
<P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use,
disclaimers, and sponsorship information can be found in <A
href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>.
<P>* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
<HR noShade width="100%">
<B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon
University and the Software Engineering Institute is furnished on an "as
is" basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or merchantability,
exclusivity or results obtained from use of the material. Carnegie Mellon
University does not make any warranty of any kind with respect to freedom
from patent, trademark, or copyright infringement.</B>
<HR width="100%">
Revision History
<P>
<TABLE>
<TBODY>
<TR>
<TD>March 28, 1999:</TD>
<TD>Changed the reference to the sendmail patches from ftp.cert.org
to www.sendmail.com. Added information for Innosoft, Sophos, and
John Hardin's procmail filter kit.</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Formatting changes</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Added information for Computer Associates</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Fixed a broken link</TD></TR>
<TR>
<TD>March 29, 1999:</TD>
<TD>Added a link to information at Microsoft, added a link to
information about Happy99.exe, added information about MacOS, and
clairfied that only MS Outlook MAPI address books are
involved.</TD></TR>
<TR>
<TD>March 31, 1999:</TD>
<TD>Added links to the Melissa FAQ</TD></TR></TBODY></TABLE><!-- This completes the table started in *_titlebar.html --></P></DD></SMALL></FONT></TD></TR></TBODY></TABLE></DIV></DIV></BODY></HTML>
</x-html>From ???@??? Mon Apr 05 06:40:00 1999
X-Persona: <Fibtrader>
Received: from www36.hway.net (207.158.192.116)
by mail02.rapidsite.net (RS ver 1.0.2) with SMTP id 15207
for <list@xxxxxxxxxxxxx>; Mon, 5 Apr 1999 01:51:08 -0400 (EDT)
Received: (from fibtra@xxxxxxxxx)
by www36.hway.net (8.9.1a/8.9.1) id BAA31005;
Mon, 5 Apr 1999 01:51:08 -0400 (EDT)
Date: Mon, 5 Apr 1999 01:51:08 -0400 (EDT)
Message-Id: <199904050551.BAA31005@xxxxxxxxxxxxxx>
To: list@xxxxxxxxxxxxx
From: list@xxxxxxxxxxxxx
Subject: Your FREE CD Request.
X-Loop-Detect: 1
X-UIDL: 5357a156d1ed45e1f26fb43a8f261b8e.01
Data from input form.
Name : Don Kushnir
Company : Retired
Address : 39 Lake Linnet Close S.E.
City : Calgary
State : Alberta
ZIP/Postal code : T2J 2H9
Country : Canada
Telephone number: 403-278-1692
Email : dkushnir@xxxxxxxxxxxxx
|