[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OFF TOPIC Melissa Virus Originator Apprehended - an update


  • To: "Metastock-List" <metastock@xxxxxxxxxxxxx>
  • Subject: Re: OFF TOPIC Melissa Virus Originator Apprehended - an update
  • From: "A.J. Maas" <anthmaas@xxxxxx>
  • Date: Mon, 5 Apr 1999 09:27:17 -0400 (EDT)

PureBytes Links

Trading Reference Links

<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>CERT®/CC Frequently Asked Questions About the Melissa Virus</TITLE>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type><BASE 
href=file://C:\Windows\Desktop\melissa\>
<META content="MSHTML 5.00.2014.210" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY aLink=#ddb30b bgColor=#ffffff link=#004a6b vLink=#c7aa05>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width="50%"><IMG 
      alt="The CERT/CC is&#10;    part of the Software Engineering Institute at Carnegie Mellon University" 
      height=37 src="/images/cmu_sei.gif" width=239></TD>
    <TD align=right vAlign=center width="50%"><IMG align=bottom 
      alt="Improving Security" height=19 src="/images/improvingsecurity.gif" 
      width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width=54><IMG alt="" height=1 src="/images/invisible.gif" width=54></TD>
    <TD width="18%"><IMG alt="CERT® Coordination Center" height=18 
      src="/images/certcc_head.gif" width=189></TD>
    <TD bgColor=#dcdcdc width="85%">
      <P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial">&nbsp;<A 
      href="/index.html">Home</A> | What's New 
      | FAQ | <A 
      href="/contents/contents.html">Site Contents</A> | <A 
      href="/contact_cert/contactinfo.html">Contact Us</A> 
      </FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
  <TBODY>
  <TR>
    <TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
    <TD align=left width="100%">
      <P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial" 
      size=1>Alerts | <A 
      href="/nav/securityimprovement.html">Improving Security</A> | <A 
      href="/nav/training.html">Training</A> | <A 
      href="/nav/reports.html">Reports</A> | <A href="/research/">Survivability 
      Research</A> | About Us | <A 
      href="/ftp/">FTP Archives</A> | <A href="/nav/other_sources.html">Other 
      Resources</A></FONT></P></TD></TR>
  <TR>
    <TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
    <TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
  <TBODY>
  <TR>
    <TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1 
      src="/images/invisible.gif" width=47></TD>
    <TD vAlign=top width="100%"></TD></TR>
  <TR>
    <TD vAlign=top width="100%">
      <DIV align=left>
      <TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225 
      width=100>
        <TBODY>
        <TR>
          <TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b 
            face="Helvetica, Geneva, Arial"><SMALL><SMALL>
            <P>Incident Notes 
            <P>Vulnerability Notes 
            <P>Security Improvement Modules 

            <P>Tech Tips 
            <P>Tools 
            <P><A href="/other_sources/tool_sources.html">Other sources of 
            tools</A> 
            <P>Training 
            <P>Alerts 
          </SMALL></SMALL></FONT></P></TD>
          <TD rowSpan=2 vAlign=top width=3></TD></TR>
        <TR>
          <TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV>
      <H1>Frequently Asked Questions About the Melissa Virus</H1>
      <P>Last Updated: March 31, 1999</P>
      <OL><B>
        <LI>How many reports have we received? </B>
        <P>We have first-hand reports of more than 300 organizations affected, 
        covering more than 100,000 individual hosts. </P><B>
        <LI>Is the damage limited only to denial-of-service? </B>
        <P>No. Under some circumstances, confidential documents can be leaked 
        without the user's knowledge. These circumstances include the use of a 
        single template file by more than one user, and the transmission of an 
        infected document to another user who has not previously been infected. 
        Additionally, if you fail to clean up the virus correctly and completely 
        (for example, by not cleaning the normal.dot file) you may expose 
        confidential information at a later time. </P><B>
        <LI>What about Papa, and other variants? </B>
        <P>We have received reports of other variants of Melissa, including one 
        named Papa. At the present time, we have not received a significant 
        number of reports of Papa outbreaks. If you practice antivirus 
        precautions on a regular basis, you can protect yourself against Papa 
        and other variants of Melissa. </P><B>
        <LI>Are Macro viruses new? </B>
        <P>No. According to the Department of Energy's Computer Incident 
        Advisory Capability (CIAC), macro viruses for Microsoft Word appeared as 
        early as 1995, with over 1000 variants for Word and other products by 
        1998. See <A 
        href="http://www.ciac.org/ciac/bulletins/i-023.shtml";>http://www.ciac.org/ciac/bulletins/i-023.shtml</A> 
        for more information. </P><B>
        <LI>Why was Melissa so serious? </B>
        <P>Melissa was different from other macro viruses because of the speed 
        at which it spread. The first confirmed reports of Melissa were received 
        on Friday, March 26, 1999. By Monday, March 29, it had reached more than 
        100,000 computers. Some sites had to take their mail systems off-line. 
        One site reported receiving 32,000 copies of mail messages containing 
        Melissa on their systems within 45 minutes. </P><B>
        <LI>Are Macro viruses limited to Microsoft Word? </B>
        <P>No. Macro viruses can affect other products, including other products 
        from Microsoft such as Excel and Powerpoint. The Papa virus, for 
        instance, is reported to be spread via Excel. </P><B>
        <LI>Is Melissa a worm? </B>
        <P>Melissa requires user interaction to propagate, therefore we do not 
        consider it a worm. However, Melissa can propagate quickly from one 
        computer to another with minimal interaction required by the user. 
        </P><B>
        <LI>Does the Melissa virus affect MacOS? </B>
        <P>The Melissa virus can infect files stored on and shared with 
        MacOS-based systems running Word 98. However, when the virus runs on 
        MacOS systems, it is not able to send electronic mail, and its 
        propagation will be slower on MacOS systems. </P>
        <P></P><B>
        <LI>Can I protect myself by marking the normal.dot file read-only? </B>
        <P>At best, marking the normal.dot file read only is a stop-gap 
        protection. On Windows 98/95 systems and on MacOS, viruses can 
        circumvent the read-only protection. Instead, we recommend setting Word 
        to prompt the user before making any changes to the normal.dot file if 
        you are concerned about changes to that file. </P><B>
        <LI>How can I protect myself against variants of Melissa? </B>
        <P>Disable macros by default. Use caution when operating any product 
        when macros are enabled. Keep your antivirus products up-to-date. Be 
        leery of unsolicited documents or executable programs received in 
        electronic mail. Beware of software that comes from untrusted sources. 
        </P><B>
        <LI>Who wrote Melissa? Why was Melissa written? What crimes has the 
        author committed? What is the status of the investigation? </B>
        <P>The CERT Coordination Center is a technical organization. We 
        concentrate on the technical aspects of computer security problems. We 
        have no legal authority and we do not "catch the bad guys."</P><B>
        <LI>Can I be affected if I don't use Outlook? </B>
        <P>If it is installed, Outlook is used by the virus to send mail. 
        Otherwise, Melissa behaves like a normal virus: you can infect others by 
        carelessly sharing files. </P><B>
        <LI>I use a mail package other than Outlook. Am I affected? </B>
        <P>The mailer you use to read mail doesn't matter. The virus will use 
        Outlook, if Outlook is installed, to send copies of itself. How you 
        receive it doesn't matter. </P><B>
        <LI>How effective are systems that look at the subject of the mail 
        message? </B>
        <P>Systems that rely solely on pattern matching to recognize the virus 
        can be used as a stop gap measure to prevent the spread of a particular 
        virus, but will fail as soon as the virus mutates so that it no longer 
        matches the pattern. This can be very effective as a short-term fix, but 
        will not provide long-term protection.</P><B>
        <LI>Is Melissa the most dangerous virus possible? </B>
        <P>Melissa was relatively non-destructive and easily detected. Variants 
        could be significantly more destructive or stealthy. We strongly 
        encourage you to be aware of the risks posed by viruses and other 
        computer security concerns at all times. </P><B>
        <LI>Are you aware of the connection between the Melissa virus and the 
        television show<I> The Simpsons</I>? </B>
        <P>Yes.</P><B>
        <LI>What products are affected? </B>
        <P>Outlook 98 and Outlook 2000 for Windows platforms can be used to 
        propagate the virus. Microsoft Word 97 and Word 2000 for Windows and 
        Word 98 for Macintosh can be used by the virus to infect other 
        documents. Earlier versions of Word, including Word 95, cannot be used 
        to infect other documents, nor can Outlook Express on any platform be 
        used to propagate the virus via email.</P><B>
        <LI>Why is it called Melissa? </B>
        <P>It was named Melissa by the antivirus software vendors. </P><B>
        <LI>Do you have to open the email attachment to be infected?</B> 
        <P>Yes. To be affected by Melissa and other, similar macro viruses, you 
        must open the attachment and permit macros to run. You cannot be 
        affected by Melissa or similar viruses merely by receiving the 
        email.</P><B>
        <LI>If I receive the virus mailed to me by someone, should I notify 
        them?</B> 
        <P>Yes. We encourage you to notify them. More information about dealing 
        with incidents can be found in our Incident Reporting Guidelines at</P>
        <P><A 
        href="/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</A></P><B>
        <LI>I am a novice user and know little about computer language. I read 
        your virus alert and tried to determine whether or not my Word macros 
        were disabled. I use Office 97, professional version, and did not find a 
        way to disable the macro function. However, under the menu options 
        "Tools/Options/General" I found a checked box that says "Macro virus 
        protection." Will this option provide adequate protection against the 
        Melissa macro virus and other, similar viruses?</B> 
        <P>If this option is checked, Word will give you a warning any time you 
        open a document that has macros embedded in it. The warning will give 
        you the opportunity to prevent any macros from running.</P><B>
        <LI>Are the Melissa macro virus and Happy99 the same thing?</B> 
        <P>No. While Melissa is a macro virus, Happy99.exe is a Trojan horse 
        program. For more information about Happy99.exe, please see Incident 
        Note IN-99-02 Happy99.exe Trojan Horse at</P>
        <P><A 
        href="/incident_notes/IN-99-02.html">http://www.cert.org/incident_notes/IN-99-02.html</A></P></LI></OL>
      <HR noShade width="100%">
      This document is available from: <A 
      href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>. 

      <HR noShade width="100%">

      <H2>CERT/CC Contact Information</H2>
      <DL><B>Email:</B> <A 
        href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1 
        412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1 
        412-268-6989<BR><B>Postal address:</B><BR>
        <DD>CERT Coordination Center<BR>Software Engineering 
        Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA 
        15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline 
      08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on 
      call for emergencies during other hours, on U.S. holidays, and on 
      weekends. 
      <P>
      <H4>Using encryption</H4>
      <P>We strongly urge you to encrypt sensitive information sent by email. 
      Our public PGP key is available from <A 
      href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>. 
      If you prefer to use DES, please call the CERT hotline for more 
      information. 
      <H4>Getting security information</H4>CERT publications and other security 
      information are available from our web site <A 
      href="http://www.cert.org/";>http://www.cert.org/</A>. 
      <P>To be added to our mailing list for advisories and bulletins, send 
      email to <A 
      href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A> 
      and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your 
      message. 
      <P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use, 
      disclaimers, and sponsorship information can be found in <A 
      href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>. 

      <P>* "CERT" and "CERT Coordination Center" are registered in the U.S. 
      Patent and Trademark Office 
      <HR noShade width="100%">
      <B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon 
      University and the Software Engineering Institute is furnished on an "as 
      is" basis. Carnegie Mellon University makes no warranties of any kind, 
      either expressed or implied as to any matter including, but not limited 
      to, warranty of fitness for a particular purpose or merchantability, 
      exclusivity or results obtained from use of the material. Carnegie Mellon 
      University does not make any warranty of any kind with respect to freedom 
      from patent, trademark, or copyright infringement.</B> <!-- This completes the table started in *_titlebar.html --></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>&nbsp;</DIV>
<DIV align=left>
<DIV 
align=left>=====================================================================================================</DIV>
<DIV align=left>&nbsp;</DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width="50%"><IMG 
      alt="The CERT/CC is&#10;    part of the Software Engineering Institute at Carnegie Mellon University" 
      height=37 src="file:///C:/images/cmu_sei.gif" width=239></TD>
    <TD align=right vAlign=center width="50%"><IMG align=bottom 
      alt="CERT®/CC Alerts" height=19 src="file:///C:/images/alerts.gif" 
      width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width=54><IMG alt="" height=1 src="file:///C:/images/invisible.gif" 
      width=54></TD>
    <TD width="18%"><IMG alt="CERT® Coordination Center" height=18 
      src="file:///C:/images/certcc_head.gif" width=189></TD>
    <TD bgColor=#dcdcdc width="85%">
      <P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial">&nbsp;<A 
      href="file:///C:/index.html">Home</A> | <A 
      href="file:///C:/nav/whatsnew.html">What's New</A> | <A 
      href="file:///C:/faq/cert_faq.html">FAQ</A> | <A 
      href="file:///C:/contents/contents.html">Site Contents</A> | <A 
      href="file:///C:/contact_cert/contactinfo.html">Contact Us</A> 
      </FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
  <TBODY>
  <TR>
    <TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif" 
      width=47></TD>
    <TD align=left width="100%">
      <P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial" 
      size=1>Alerts | <A 
      href="file:///C:/nav/securityimprovement.html">Improving Security</A> | <A 
      href="file:///C:/nav/training.html">Training</A> | <A 
      href="file:///C:/nav/reports.html">Reports</A> | <A 
      href="file:///C:/research/">Survivability Research</A> | <A 
      href="file:///C:/nav/aboutcert.html">About Us</A> | <A 
      href="file:///C:/ftp/">FTP Archives</A> | <A 
      href="file:///C:/nav/other_sources.html">Other 
  Resources</A></FONT></P></TD></TR>
  <TR>
    <TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif" 
      width=47></TD>
    <TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
  <TBODY>
  <TR>
    <TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1 
      src="file:///C:/images/invisible.gif" width=47></TD>
    <TD vAlign=top width="100%"></TD></TR>
  <TR>
    <TD vAlign=top width="100%">
      <DIV align=left>
      <TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225 
      width=100>
        <TBODY>
        <TR>
          <TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b 
            face="Helvetica, Geneva, Arial"><SMALL><SMALL>
            <P>Advisories 
            <P>Summaries 
            <P><A href="file:///C:/ftp/cert_bulletins/">Vendor-Initiated 
            Bulletins</A> 
            <P><A href="file:///C:/contact_cert/certmaillist.html">Subscribing 
            to the CERT Mailing List</A> 
            <P>Vulnerability Notes 
            <P>Incident Notes 
            </SMALL></SMALL></FONT></P></TD>
          <TD rowSpan=2 vAlign=top width=3></TD></TR>
        <TR>
          <TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV><FONT 
      face="Helvetica, Geneva, Arial"><SMALL>
      <H1>CERT<SUP>®</SUP> Advisory CA-99-04-Melissa-Macro-Virus</H1>
      <P>Original issue date: Saturday March 27 1999<BR>Last Revised: 3:00 PM 
      GMT-5 Wednesday March 31, 1999</P>
      <H3>Systems Affected</H3>
      <P>
      <UL>
        <LI>Machines with Microsoft Word 97 or Word 2000 
        <LI>Any mail handling system could experience performance problems or a 
        denial of service as a result of the propagation of this macro virus. 
        </LI></UL>
      <P></P>
      <H3>Overview</H3>At approximately 2:00 PM GMT-5 on Friday March 26 1999 we 
      began receiving reports of a Microsoft Word 97 and Word 2000 macro virus 
      which is propagating via email attachments. The number and variety of 
      reports we have received indicate that this is a widespread attack 
      affecting a variety of sites. 
      <P>Our analysis of this macro virus indicates that human action (in the 
      form of a user opening an infected Word document) is required for this 
      virus to propagate. It is possible that under some mailer configurations, 
      a user might automatically open an infected document received in the form 
      of an email attachment. This macro virus is not known to exploit any new 
      vulnerabilities. While the primary transport mechanism of this virus is 
      via email, any way of transferring files can also propagate the virus. 
      <P>Anti-virus software vendors have called this macro virus the Melissa 
      macro or W97M_Melissa virus. 
      <P>In addition to this advisory, please see the Melissa Virus FAQ 
      (Frequently Asked Questions) document available at: 
      <P>
      <DT>
      <DD><A 
      href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A> 

      <P>
      <H1>I. Description</H1>The Melissa macro virus propagates in the form of 
      an email message containing an infected Word document as an attachment. 
      The transport message has most frequently been reported to contain the 
      following Subject header 
      <P></P>
      <DT>
      <DD><PRE>Subject: Important Message From &lt;name&gt;
</PRE>
      <P>Where &lt;name&gt; is the full name of the user sending the message. 
      <P>The body of the message is a multipart MIME message containing two 
      sections. The first section of the message (Content-Type: text/plain) 
      contains the following text. 
      <P></P>
      <DT>
      <DD><PRE>Here is that document you asked for ... don't show anyone else ;-)
</PRE>
      <P>The next section (Content-Type: application/msword) was initially 
      reported to be a document called "list.doc". This document contains 
      references to pornographic web sites. As this macro virus spreads we are 
      likely to see documents with other names. In fact, under certain 
      conditions the virus may generate attachments with documents created by 
      the victim. 
      <P>When a user opens an infected .doc file with Microsoft Word97 or 
      Word2000, the macro virus is immediately executed if macros are enabled. 
      <P>Upon execution, the virus first lowers the macro security settings to 
      permit all macros to run when documents are opened in the future. 
      Therefore, the user will not be notified when the virus is executed in the 
      future. 
      <P>The macro then checks to see if the registry key 
      <P></P>
      <DT>
      <DD><B>"HKEY_Current_User\Software\Microsoft\Office\Melissa?"</B> 
      <P>has a value of <B>"... by Kwyjibo"</B>. If that registry key does not 
      exist or does not have a value of <B>"... by Kwyjibo"</B>, the virus 
      proceeds to propagate itself by sending an email message in the format 
      described above to the first 50 entries in every Microsoft Outlook MAPI 
      address book readable by the user executing the macro. Keep in mind that 
      if any of these email addresses are mailing lists, the message will be 
      delivered to everyone on the mailing lists. In order to successfully 
      propagate, the affected machine must have Microsoft Outlook installed; 
      however, Outlook does not need to be the mailer used to read the message. 
      <P>This virus can not send mail on systems running MacOS; however, the 
      virus can be stored on MacOS. 
      <P>Next, the macro virus sets the value of the registry key to <B>"... by 
      Kwyjibo"</B>. Setting this registry key causes the virus to only propagate 
      once per session. If the registry key does not persist through sessions, 
      the virus will propagate as described above once per every session when a 
      user opens an infected document. If the registry key persists through 
      sessions, the virus will no longer attempt to propagate even if the 
      affected user opens an infected document. 
      <P>The macro then infects the Normal.dot template file. By default, all 
      Word documents utilize the Normal.dot template; thus, any newly created 
      Word document will be infected. Because unpatched versions of Word97 may 
      trust macros in templates the virus may execute without warning. For more 
      information please see: 
      <P></P>
      <DT>
      <DD><A 
      href="http://www.microsoft.com/security/bulletins/ms99-002.asp";>http://www.microsoft.com/security/bulletins/ms99-002.asp</A> 

      <P>Finally, if the minute of the hour matches the day of the month at this 
      point, the macro inserts into the current document the message "Twenty-two 
      points, plus triple-word-score, plus fifty points for using all my 
      letters. Game's over. I'm outta here." 
      <P>Note that if you open an infected document with macros disabled and 
      look at the list of macros in this document, neither Word97 nor Word2000 
      list the macro. The code is actually VBA (Visual Basic for Applications) 
      code associated with the "document.open" method. You can see the code by 
      going into the Visual Basic editor. 
      <P>If you receive one of these messages, keep in mind that the message 
      came from someone who is affected by this virus and they are not 
      necessarily targeting you. We encourage you to contact any users from 
      which you have received such a message. Also, we are interested in 
      understanding the scope of this activity; therefore, we would appreciate 
      if you would report any instance of this activity to us according to our 
      Incident Reporting Guidelines document available at: 
      <P></P>
      <DT>
      <DD><A 
      href="http://www.cert.org/tech_tips/incident_reporting.html";>http://www.cert.org/tech_tips/incident_reporting.html</A> 

      <H1>II. Impact</H1>
      <UL>
        <LI>Users who open an infected document in Word97 or Word2000 with 
        macros enabled will infect the Normal.dot template causing any documents 
        referencing this template to be infected with this macro virus. If the 
        infected document is opened by another user, the document, including the 
        macro virus, will propagate. Note that this could cause the user's 
        document to be propagated instead of the original document, and thereby 
        leak sensitive information. 
        <P></P>
        <LI>Indirectly, this virus could cause a denial of service on mail 
        servers. Many large sites have reported performance problems with their 
        mail servers as a result of the propagation of this virus. </LI></UL>
      <H1>III. Solutions</H1>
      <UL>
        <LI>
        <H2>Block messages with the signature of this virus at your mail 
        transfer agents or other central point of control.</H2>
        <UL>
          <LI>
          <H3>With Sendmail</H3>
          <P>Nick Christenson of sendmail.com provided information about 
          configuring sendmail to filter out messages that may contain the 
          Melissa virus. This information is available from the follow URL: 
          <P>
          <DT>
          <DD><A 
          href="http://www.sendmail.com/blockmelissa.html";>http://www.sendmail.com/blockmelissa.html</A> 

          <P></P></DD>
          <LI>
          <H3>With John Hardin's Procmail security filter package</H3>More 
          information is available from: 
          <P>
          <DT>
          <DD><A 
          href="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html";>ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html</A> 

          <P></P></DD>
          <LI>
          <H3>With Innosoft's PMDF</H3>More information is available from: 
          <P>
          <DT>
          <DD><A 
          href="http://www.innosoft.com/iii/pmdf/virus-word-emergency.html";>http://www.innosoft.com/iii/pmdf/virus-word-emergency.html</A> 

          <P></P></DD></LI></UL>
        <LI>
        <H2>Utilize virus scanners</H2>Most virus scanning tools will detect and 
        clean macro viruses. In order to detect and clean current viruses you 
        must keep your scanning tools up to date with the latest definition 
        files. 
        <P>
        <UL>
          <LI>
          <H3>Computer Associates</H3>Virus signature versions that detect and 
          cure melissa virus. 
          <P>
          <TABLE>
            <TBODY>
            <TR>
              <TD>Windows NT 3.x &amp; 4.x</TD>
              <TD>4.19d</TD></TR>
            <TR>
              <TD>Windows 95</TD>
              <TD>4.19e</TD></TR>
            <TR>
              <TD>Windows 98</TD>
              <TD>4.19e</TD></TR>
            <TR>
              <TD>Windows 3.1</TD>
              <TD>4.19e</TD></TR>
            <TR>
              <TD>Netware 3.x, 4.x &amp; 5.0</TD>
              <TD>4.19e</TD></TR></TBODY></TABLE>
          <P>Any of the above virus signatures files can be downloaded at: 
          <DT>
          <DD><A 
          href="http://www.support.cai.com/";>http://www.support.cai.com</A> 
          <P></P></DD>
          <LI>
          <H3>McAfee / Network Associates</H3>
          <DT>
          <DD><A 
          href="http://vil.mcafee.com/vil/vm10118.asp";>http://vil.mcafee.com/vil/vm10118.asp</A> 

          <DD><A 
          href="http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp";>http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp</A> 

          <P></P></DD>
          <LI>
          <H3>Sophos</H3>
          <DT>
          <DD><A 
          href="http://www.sophos.com/downloads/ide/index.html#melissa";>http://www.sophos.com/downloads/ide/index.html#melissa</A> 

          <P></P></DD>
          <LI>
          <H3>Symantec</H3>
          <DT>
          <DD><A 
          href="http://www.symantec.com/avcenter/venc/data/mailissa.html";>http://www.symantec.com/avcenter/venc/data/mailissa.html</A> 

          <P></P></DD>
          <LI>
          <H3>Trend Micro</H3>
          <DT>
          <DD><A 
          href="http://housecall.antivirus.com/smex_housecall/technotes.html";>http://housecall.antivirus.com/smex_housecall/technotes.html</A> 

          <P>
          <P></P></DD></LI></UL>
        <LI>
        <H2>Encourage users at your site to disable macros in Microsoft 
        Word</H2>Notify all of your users of the problem and encourage them to 
        disable macros in Word. You may also wish to encourage users to disable 
        macros in any product that contains a macro language as this sort of 
        problem is not limited to Microsoft Word. 
        <P>In Word97 you can disable automatic macro execution (click 
        Tools/Options/General then turn on the 'Macro virus protection' 
        checkbox). In Word2000 macro execution is controlled by a security level 
        variable similar to Internet Explorer (click on Tools/Macro/Security and 
        choose High, Medium, or Low). In that case, 'High' silently ignores the 
        VBA code, Medium prompts in the way Word97 does to let you enable or 
        disable the VBA code, and 'Low' just runs it. 
        <P>Word2000 supports Authenticode on the VB code. In the 'High' setting 
        you can specify sites that you trust and code from those sites will run. 

        <P></P>
        <LI>
        <H2>General protection from Word Macro Viruses</H2>For information about 
        macro viruses in general, we encourage you to review the document "Free 
        Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at. 
        <P>
        <DT>
        <DD><A 
        href="http://www.nai.com/services/support/vr/free.asp";>http://www.nai.com/services/support/vr/free.asp</A> 

        <P></P></DD></LI></UL>
      <H3>Additional Information</H3>
      <UL>
        <LI>For more information about the Melissa virus please see the Melissa 
        Virus FAQ (Frequently Asked Questions) document available at: 
        <P>
        <DT>
        <DD><A 
        href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A> 

        <P></P></DD>
        <LI>We have received a number of reports from people confusing the 
        Happy99.exe Trojan Horse with the Melissa virus. For more information 
        about Happy99.exe please see: 
        <DT>
        <DD><A 
        href="http://www.cert.org/incident_notes/IN-99-02.html";>http://www.cert.org/incident_notes/IN-99-02.html</A> 

        <P></P></DD>
        <LI>The Department of Energy's Computer Incident Advisory Capability 
        (CIAC) has published several documents that you may wish to examine. 
        These are available at available at 
        <P>
        <DT>
        <DD><A 
        href="http://www.ciac.org/ciac/bulletins/j-037.shtml";>http://www.ciac.org/ciac/bulletins/j-037.shtml</A> 
        <BR>
        <DT>
        <DD><A 
        href="http://ciac.llnl.gov/ciac/bulletins/i-023.shtml";>http://ciac.llnl.gov/ciac/bulletins/i-023.shtml</A> 

        <P></P></DD>
        <LI>Microsoft Corporation has published information about this macro 
        virus. Their document is available from: 
        <P>
        <DT>
        <DD><A 
        href="http://officeupdate.microsoft.com/articles/macroalert.htm";>http://officeupdate.microsoft.com/articles/macroalert.htm</A> 

        <P></P></DD></LI></UL>
      <H3>Acknowledgements</H3>We would like to thank Jimmy Kuo of Network 
      Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader 
      of Trend Micro, Jason Garms and Karan Khanna of Microsoft, Ned Freed of 
      Innosoft, and John Hardin for providing information used in this advisory. 

      <P>Additionally we would like to thank the many sites who reported this 
      activity. 
      <P>
      <HR noShade width="100%">
      This document is available from: <A 
      href="http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html";>http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html</A>. 

      <HR noShade width="100%">

      <H2>CERT/CC Contact Information</H2>
      <DL><B>Email:</B> <A 
        href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1 
        412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1 
        412-268-6989<BR><B>Postal address:</B><BR>
        <DD>CERT Coordination Center<BR>Software Engineering 
        Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA 
        15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline 
      08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on 
      call for emergencies during other hours, on U.S. holidays, and on 
      weekends. 
      <P>
      <H4>Using encryption</H4>
      <P>We strongly urge you to encrypt sensitive information sent by email. 
      Our public PGP key is available from <A 
      href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>. 
      If you prefer to use DES, please call the CERT hotline for more 
      information. 
      <H4>Getting security information</H4>CERT publications and other security 
      information are available from our web site <A 
      href="http://www.cert.org/";>http://www.cert.org/</A>. 
      <P>To be added to our mailing list for advisories and bulletins, send 
      email to <A 
      href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A> 
      and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your 
      message. 
      <P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use, 
      disclaimers, and sponsorship information can be found in <A 
      href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>. 

      <P>* "CERT" and "CERT Coordination Center" are registered in the U.S. 
      Patent and Trademark Office 
      <HR noShade width="100%">
      <B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon 
      University and the Software Engineering Institute is furnished on an "as 
      is" basis. Carnegie Mellon University makes no warranties of any kind, 
      either expressed or implied as to any matter including, but not limited 
      to, warranty of fitness for a particular purpose or merchantability, 
      exclusivity or results obtained from use of the material. Carnegie Mellon 
      University does not make any warranty of any kind with respect to freedom 
      from patent, trademark, or copyright infringement.</B> 
      <HR width="100%">
      Revision History 
      <P>
      <TABLE>
        <TBODY>
        <TR>
          <TD>March 28, 1999:</TD>
          <TD>Changed the reference to the sendmail patches from ftp.cert.org 
            to www.sendmail.com. Added information for Innosoft, Sophos, and 
            John Hardin's procmail filter kit.</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Formatting changes</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Added information for Computer Associates</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Fixed a broken link</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Added a link to information at Microsoft, added a link to 
            information about Happy99.exe, added information about MacOS, and 
            clairfied that only MS Outlook MAPI address books are 
involved.</TD></TR>
        <TR>
          <TD>March 31, 1999:</TD>
          <TD>Added links to the Melissa FAQ</TD></TR></TBODY></TABLE><!-- This completes the table started in *_titlebar.html --></P></DD></SMALL></FONT></TD></TR></TBODY></TABLE></DIV></DIV></BODY></HTML>
</x-html>From ???@??? Mon Apr 05 06:39:32 1999
Received: from listserv.equis.com (204.246.137.2)
	by mail02.rapidsite.net (RS ver 1.0.2) with SMTP id 3110
	for <neal@xxxxxxxxxxxxx>; Mon,  5 Apr 1999 09:27:17 -0400 (EDT)
Received: (from majordom@xxxxxxxxx)
	by listserv.equis.com (8.8.7/8.8.7) id UAA03471
	for metastock-outgoing; Mon, 5 Apr 1999 20:37:10 -0600
X-Authentication-Warning: listserv.equis.com: majordom set sender to owner-metastock@xxxxxxxxxxxxx using -f
Received: from freeze.metastock.com (freeze.metastock.com [204.246.137.5])
	by listserv.equis.com (8.8.7/8.8.7) with ESMTP id UAA03468
	for <metastock@xxxxxxxxxxxxxxxxxx>; Mon, 5 Apr 1999 20:37:07 -0600
Received: from smtp02.wxs.nl (smtp02.wxs.nl [195.121.6.60])
	by freeze.metastock.com (8.8.5/8.8.5) with ESMTP id GAA01193
	for <metastock@xxxxxxxxxxxxx>; Mon, 5 Apr 1999 06:29:21 -0600 (MDT)
Received: from escom ([195.121.39.2]) by smtp02.wxs.nl
          (Netscape Messaging Server 3.61)  with SMTP id AAA1AB7
          for <metastock@xxxxxxxxxxxxx>; Mon, 5 Apr 1999 14:17:00 +0200
Message-ID: <001b01be7f5d$b4797f60$022779c3@xxxxx>
From: "A.J. Maas" <anthmaas@xxxxxx>
To: "Metastock-List" <metastock@xxxxxxxxxxxxx>
Subject: Re: OFF TOPIC Melissa Virus Originator Apprehended - an update
Date: Mon, 5 Apr 1999 13:30:09 +0200
Organization: Ms-IRB
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0013_01BE7F68.6F858420"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2014.211
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211
Sender: owner-metastock@xxxxxxxxxxxxx
Precedence: bulk
Reply-To: metastock@xxxxxxxxxxxxx
X-Loop-Detect: 1
X-UIDL: 5f6f1a7be6f56f4a575cb8db2cb63d5e.10

<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>CERT®/CC Frequently Asked Questions About the Melissa Virus</TITLE>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type><BASE 
href=file://C:\Windows\Desktop\melissa\>
<META content="MSHTML 5.00.2014.210" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY aLink=#ddb30b bgColor=#ffffff link=#004a6b vLink=#c7aa05>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width="50%"><IMG 
      alt="The CERT/CC is&#10;    part of the Software Engineering Institute at Carnegie Mellon University" 
      height=37 src="/images/cmu_sei.gif" width=239></TD>
    <TD align=right vAlign=center width="50%"><IMG align=bottom 
      alt="Improving Security" height=19 src="/images/improvingsecurity.gif" 
      width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width=54><IMG alt="" height=1 src="/images/invisible.gif" width=54></TD>
    <TD width="18%"><IMG alt="CERT® Coordination Center" height=18 
      src="/images/certcc_head.gif" width=189></TD>
    <TD bgColor=#dcdcdc width="85%">
      <P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial">&nbsp;<A 
      href="/index.html">Home</A> | What's New 
      | FAQ | <A 
      href="/contents/contents.html">Site Contents</A> | <A 
      href="/contact_cert/contactinfo.html">Contact Us</A> 
      </FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
  <TBODY>
  <TR>
    <TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
    <TD align=left width="100%">
      <P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial" 
      size=1>Alerts | <A 
      href="/nav/securityimprovement.html">Improving Security</A> | <A 
      href="/nav/training.html">Training</A> | <A 
      href="/nav/reports.html">Reports</A> | <A href="/research/">Survivability 
      Research</A> | About Us | <A 
      href="/ftp/">FTP Archives</A> | <A href="/nav/other_sources.html">Other 
      Resources</A></FONT></P></TD></TR>
  <TR>
    <TD width=47><IMG alt="" height=1 src="/images/invisible.gif" width=47></TD>
    <TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
  <TBODY>
  <TR>
    <TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1 
      src="/images/invisible.gif" width=47></TD>
    <TD vAlign=top width="100%"></TD></TR>
  <TR>
    <TD vAlign=top width="100%">
      <DIV align=left>
      <TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225 
      width=100>
        <TBODY>
        <TR>
          <TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b 
            face="Helvetica, Geneva, Arial"><SMALL><SMALL>
            <P>Incident Notes 
            <P>Vulnerability Notes 
            <P>Security Improvement Modules 

            <P>Tech Tips 
            <P>Tools 
            <P><A href="/other_sources/tool_sources.html">Other sources of 
            tools</A> 
            <P>Training 
            <P>Alerts 
          </SMALL></SMALL></FONT></P></TD>
          <TD rowSpan=2 vAlign=top width=3></TD></TR>
        <TR>
          <TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV>
      <H1>Frequently Asked Questions About the Melissa Virus</H1>
      <P>Last Updated: March 31, 1999</P>
      <OL><B>
        <LI>How many reports have we received? </B>
        <P>We have first-hand reports of more than 300 organizations affected, 
        covering more than 100,000 individual hosts. </P><B>
        <LI>Is the damage limited only to denial-of-service? </B>
        <P>No. Under some circumstances, confidential documents can be leaked 
        without the user's knowledge. These circumstances include the use of a 
        single template file by more than one user, and the transmission of an 
        infected document to another user who has not previously been infected. 
        Additionally, if you fail to clean up the virus correctly and completely 
        (for example, by not cleaning the normal.dot file) you may expose 
        confidential information at a later time. </P><B>
        <LI>What about Papa, and other variants? </B>
        <P>We have received reports of other variants of Melissa, including one 
        named Papa. At the present time, we have not received a significant 
        number of reports of Papa outbreaks. If you practice antivirus 
        precautions on a regular basis, you can protect yourself against Papa 
        and other variants of Melissa. </P><B>
        <LI>Are Macro viruses new? </B>
        <P>No. According to the Department of Energy's Computer Incident 
        Advisory Capability (CIAC), macro viruses for Microsoft Word appeared as 
        early as 1995, with over 1000 variants for Word and other products by 
        1998. See <A 
        href="http://www.ciac.org/ciac/bulletins/i-023.shtml";>http://www.ciac.org/ciac/bulletins/i-023.shtml</A> 
        for more information. </P><B>
        <LI>Why was Melissa so serious? </B>
        <P>Melissa was different from other macro viruses because of the speed 
        at which it spread. The first confirmed reports of Melissa were received 
        on Friday, March 26, 1999. By Monday, March 29, it had reached more than 
        100,000 computers. Some sites had to take their mail systems off-line. 
        One site reported receiving 32,000 copies of mail messages containing 
        Melissa on their systems within 45 minutes. </P><B>
        <LI>Are Macro viruses limited to Microsoft Word? </B>
        <P>No. Macro viruses can affect other products, including other products 
        from Microsoft such as Excel and Powerpoint. The Papa virus, for 
        instance, is reported to be spread via Excel. </P><B>
        <LI>Is Melissa a worm? </B>
        <P>Melissa requires user interaction to propagate, therefore we do not 
        consider it a worm. However, Melissa can propagate quickly from one 
        computer to another with minimal interaction required by the user. 
        </P><B>
        <LI>Does the Melissa virus affect MacOS? </B>
        <P>The Melissa virus can infect files stored on and shared with 
        MacOS-based systems running Word 98. However, when the virus runs on 
        MacOS systems, it is not able to send electronic mail, and its 
        propagation will be slower on MacOS systems. </P>
        <P></P><B>
        <LI>Can I protect myself by marking the normal.dot file read-only? </B>
        <P>At best, marking the normal.dot file read only is a stop-gap 
        protection. On Windows 98/95 systems and on MacOS, viruses can 
        circumvent the read-only protection. Instead, we recommend setting Word 
        to prompt the user before making any changes to the normal.dot file if 
        you are concerned about changes to that file. </P><B>
        <LI>How can I protect myself against variants of Melissa? </B>
        <P>Disable macros by default. Use caution when operating any product 
        when macros are enabled. Keep your antivirus products up-to-date. Be 
        leery of unsolicited documents or executable programs received in 
        electronic mail. Beware of software that comes from untrusted sources. 
        </P><B>
        <LI>Who wrote Melissa? Why was Melissa written? What crimes has the 
        author committed? What is the status of the investigation? </B>
        <P>The CERT Coordination Center is a technical organization. We 
        concentrate on the technical aspects of computer security problems. We 
        have no legal authority and we do not "catch the bad guys."</P><B>
        <LI>Can I be affected if I don't use Outlook? </B>
        <P>If it is installed, Outlook is used by the virus to send mail. 
        Otherwise, Melissa behaves like a normal virus: you can infect others by 
        carelessly sharing files. </P><B>
        <LI>I use a mail package other than Outlook. Am I affected? </B>
        <P>The mailer you use to read mail doesn't matter. The virus will use 
        Outlook, if Outlook is installed, to send copies of itself. How you 
        receive it doesn't matter. </P><B>
        <LI>How effective are systems that look at the subject of the mail 
        message? </B>
        <P>Systems that rely solely on pattern matching to recognize the virus 
        can be used as a stop gap measure to prevent the spread of a particular 
        virus, but will fail as soon as the virus mutates so that it no longer 
        matches the pattern. This can be very effective as a short-term fix, but 
        will not provide long-term protection.</P><B>
        <LI>Is Melissa the most dangerous virus possible? </B>
        <P>Melissa was relatively non-destructive and easily detected. Variants 
        could be significantly more destructive or stealthy. We strongly 
        encourage you to be aware of the risks posed by viruses and other 
        computer security concerns at all times. </P><B>
        <LI>Are you aware of the connection between the Melissa virus and the 
        television show<I> The Simpsons</I>? </B>
        <P>Yes.</P><B>
        <LI>What products are affected? </B>
        <P>Outlook 98 and Outlook 2000 for Windows platforms can be used to 
        propagate the virus. Microsoft Word 97 and Word 2000 for Windows and 
        Word 98 for Macintosh can be used by the virus to infect other 
        documents. Earlier versions of Word, including Word 95, cannot be used 
        to infect other documents, nor can Outlook Express on any platform be 
        used to propagate the virus via email.</P><B>
        <LI>Why is it called Melissa? </B>
        <P>It was named Melissa by the antivirus software vendors. </P><B>
        <LI>Do you have to open the email attachment to be infected?</B> 
        <P>Yes. To be affected by Melissa and other, similar macro viruses, you 
        must open the attachment and permit macros to run. You cannot be 
        affected by Melissa or similar viruses merely by receiving the 
        email.</P><B>
        <LI>If I receive the virus mailed to me by someone, should I notify 
        them?</B> 
        <P>Yes. We encourage you to notify them. More information about dealing 
        with incidents can be found in our Incident Reporting Guidelines at</P>
        <P><A 
        href="/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</A></P><B>
        <LI>I am a novice user and know little about computer language. I read 
        your virus alert and tried to determine whether or not my Word macros 
        were disabled. I use Office 97, professional version, and did not find a 
        way to disable the macro function. However, under the menu options 
        "Tools/Options/General" I found a checked box that says "Macro virus 
        protection." Will this option provide adequate protection against the 
        Melissa macro virus and other, similar viruses?</B> 
        <P>If this option is checked, Word will give you a warning any time you 
        open a document that has macros embedded in it. The warning will give 
        you the opportunity to prevent any macros from running.</P><B>
        <LI>Are the Melissa macro virus and Happy99 the same thing?</B> 
        <P>No. While Melissa is a macro virus, Happy99.exe is a Trojan horse 
        program. For more information about Happy99.exe, please see Incident 
        Note IN-99-02 Happy99.exe Trojan Horse at</P>
        <P><A 
        href="/incident_notes/IN-99-02.html">http://www.cert.org/incident_notes/IN-99-02.html</A></P></LI></OL>
      <HR noShade width="100%">
      This document is available from: <A 
      href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A>. 

      <HR noShade width="100%">

      <H2>CERT/CC Contact Information</H2>
      <DL><B>Email:</B> <A 
        href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1 
        412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1 
        412-268-6989<BR><B>Postal address:</B><BR>
        <DD>CERT Coordination Center<BR>Software Engineering 
        Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA 
        15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline 
      08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on 
      call for emergencies during other hours, on U.S. holidays, and on 
      weekends. 
      <P>
      <H4>Using encryption</H4>
      <P>We strongly urge you to encrypt sensitive information sent by email. 
      Our public PGP key is available from <A 
      href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>. 
      If you prefer to use DES, please call the CERT hotline for more 
      information. 
      <H4>Getting security information</H4>CERT publications and other security 
      information are available from our web site <A 
      href="http://www.cert.org/";>http://www.cert.org/</A>. 
      <P>To be added to our mailing list for advisories and bulletins, send 
      email to <A 
      href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A> 
      and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your 
      message. 
      <P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use, 
      disclaimers, and sponsorship information can be found in <A 
      href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>. 

      <P>* "CERT" and "CERT Coordination Center" are registered in the U.S. 
      Patent and Trademark Office 
      <HR noShade width="100%">
      <B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon 
      University and the Software Engineering Institute is furnished on an "as 
      is" basis. Carnegie Mellon University makes no warranties of any kind, 
      either expressed or implied as to any matter including, but not limited 
      to, warranty of fitness for a particular purpose or merchantability, 
      exclusivity or results obtained from use of the material. Carnegie Mellon 
      University does not make any warranty of any kind with respect to freedom 
      from patent, trademark, or copyright infringement.</B> <!-- This completes the table started in *_titlebar.html --></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>&nbsp;</DIV>
<DIV align=left>
<DIV 
align=left>=====================================================================================================</DIV>
<DIV align=left>&nbsp;</DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width="50%"><IMG 
      alt="The CERT/CC is&#10;    part of the Software Engineering Institute at Carnegie Mellon University" 
      height=37 src="file:///C:/images/cmu_sei.gif" width=239></TD>
    <TD align=right vAlign=center width="50%"><IMG align=bottom 
      alt="CERT®/CC Alerts" height=19 src="file:///C:/images/alerts.gif" 
      width=123> </TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=0 cellSpacing=0 width="100%">
  <TBODY>
  <TR>
    <TD width=54><IMG alt="" height=1 src="file:///C:/images/invisible.gif" 
      width=54></TD>
    <TD width="18%"><IMG alt="CERT® Coordination Center" height=18 
      src="file:///C:/images/certcc_head.gif" width=189></TD>
    <TD bgColor=#dcdcdc width="85%">
      <P align=left><SMALL><SMALL><FONT face="Helvetica, Geneva, Arial">&nbsp;<A 
      href="file:///C:/index.html">Home</A> | <A 
      href="file:///C:/nav/whatsnew.html">What's New</A> | <A 
      href="file:///C:/faq/cert_faq.html">FAQ</A> | <A 
      href="file:///C:/contents/contents.html">Site Contents</A> | <A 
      href="file:///C:/contact_cert/contactinfo.html">Contact Us</A> 
      </FONT></SMALL></SMALL></P></TD></TR></TBODY></TABLE></DIV>
<DIV align=left>
<TABLE border=0 cellPadding=5 cellSpacing=1 width="100%">
  <TBODY>
  <TR>
    <TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif" 
      width=47></TD>
    <TD align=left width="100%">
      <P align=left><FONT color=#004a6b face="Helvetica, Geneva, Arial" 
      size=1>Alerts | <A 
      href="file:///C:/nav/securityimprovement.html">Improving Security</A> | <A 
      href="file:///C:/nav/training.html">Training</A> | <A 
      href="file:///C:/nav/reports.html">Reports</A> | <A 
      href="file:///C:/research/">Survivability Research</A> | <A 
      href="file:///C:/nav/aboutcert.html">About Us</A> | <A 
      href="file:///C:/ftp/">FTP Archives</A> | <A 
      href="file:///C:/nav/other_sources.html">Other 
  Resources</A></FONT></P></TD></TR>
  <TR>
    <TD width=47><IMG alt="" height=1 src="file:///C:/images/invisible.gif" 
      width=47></TD>
    <TD height=12 width="100%"></TD></TR></TBODY></TABLE></DIV><!-- This section leaves a table definition open. --><!-- Each document must close it somewhere else. -->
<DIV align=left>
<TABLE border=0 width="100%">
  <TBODY>
  <TR>
    <TD rowSpan=2 vAlign=top width=47><IMG alt="" height=1 
      src="file:///C:/images/invisible.gif" width=47></TD>
    <TD vAlign=top width="100%"></TD></TR>
  <TR>
    <TD vAlign=top width="100%">
      <DIV align=left>
      <TABLE align=left border=0 cellPadding=7 cellSpacing=0 height=225 
      width=100>
        <TBODY>
        <TR>
          <TD bgColor=#dcdcdc height=175 vAlign=top><FONT color=#004a6b 
            face="Helvetica, Geneva, Arial"><SMALL><SMALL>
            <P>Advisories 
            <P>Summaries 
            <P><A href="file:///C:/ftp/cert_bulletins/">Vendor-Initiated 
            Bulletins</A> 
            <P><A href="file:///C:/contact_cert/certmaillist.html">Subscribing 
            to the CERT Mailing List</A> 
            <P>Vulnerability Notes 
            <P>Incident Notes 
            </SMALL></SMALL></FONT></P></TD>
          <TD rowSpan=2 vAlign=top width=3></TD></TR>
        <TR>
          <TD height=5 vAlign=top></TD></TR></TBODY></TABLE></DIV><FONT 
      face="Helvetica, Geneva, Arial"><SMALL>
      <H1>CERT<SUP>®</SUP> Advisory CA-99-04-Melissa-Macro-Virus</H1>
      <P>Original issue date: Saturday March 27 1999<BR>Last Revised: 3:00 PM 
      GMT-5 Wednesday March 31, 1999</P>
      <H3>Systems Affected</H3>
      <P>
      <UL>
        <LI>Machines with Microsoft Word 97 or Word 2000 
        <LI>Any mail handling system could experience performance problems or a 
        denial of service as a result of the propagation of this macro virus. 
        </LI></UL>
      <P></P>
      <H3>Overview</H3>At approximately 2:00 PM GMT-5 on Friday March 26 1999 we 
      began receiving reports of a Microsoft Word 97 and Word 2000 macro virus 
      which is propagating via email attachments. The number and variety of 
      reports we have received indicate that this is a widespread attack 
      affecting a variety of sites. 
      <P>Our analysis of this macro virus indicates that human action (in the 
      form of a user opening an infected Word document) is required for this 
      virus to propagate. It is possible that under some mailer configurations, 
      a user might automatically open an infected document received in the form 
      of an email attachment. This macro virus is not known to exploit any new 
      vulnerabilities. While the primary transport mechanism of this virus is 
      via email, any way of transferring files can also propagate the virus. 
      <P>Anti-virus software vendors have called this macro virus the Melissa 
      macro or W97M_Melissa virus. 
      <P>In addition to this advisory, please see the Melissa Virus FAQ 
      (Frequently Asked Questions) document available at: 
      <P>
      <DT>
      <DD><A 
      href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A> 

      <P>
      <H1>I. Description</H1>The Melissa macro virus propagates in the form of 
      an email message containing an infected Word document as an attachment. 
      The transport message has most frequently been reported to contain the 
      following Subject header 
      <P></P>
      <DT>
      <DD><PRE>Subject: Important Message From &lt;name&gt;
</PRE>
      <P>Where &lt;name&gt; is the full name of the user sending the message. 
      <P>The body of the message is a multipart MIME message containing two 
      sections. The first section of the message (Content-Type: text/plain) 
      contains the following text. 
      <P></P>
      <DT>
      <DD><PRE>Here is that document you asked for ... don't show anyone else ;-)
</PRE>
      <P>The next section (Content-Type: application/msword) was initially 
      reported to be a document called "list.doc". This document contains 
      references to pornographic web sites. As this macro virus spreads we are 
      likely to see documents with other names. In fact, under certain 
      conditions the virus may generate attachments with documents created by 
      the victim. 
      <P>When a user opens an infected .doc file with Microsoft Word97 or 
      Word2000, the macro virus is immediately executed if macros are enabled. 
      <P>Upon execution, the virus first lowers the macro security settings to 
      permit all macros to run when documents are opened in the future. 
      Therefore, the user will not be notified when the virus is executed in the 
      future. 
      <P>The macro then checks to see if the registry key 
      <P></P>
      <DT>
      <DD><B>"HKEY_Current_User\Software\Microsoft\Office\Melissa?"</B> 
      <P>has a value of <B>"... by Kwyjibo"</B>. If that registry key does not 
      exist or does not have a value of <B>"... by Kwyjibo"</B>, the virus 
      proceeds to propagate itself by sending an email message in the format 
      described above to the first 50 entries in every Microsoft Outlook MAPI 
      address book readable by the user executing the macro. Keep in mind that 
      if any of these email addresses are mailing lists, the message will be 
      delivered to everyone on the mailing lists. In order to successfully 
      propagate, the affected machine must have Microsoft Outlook installed; 
      however, Outlook does not need to be the mailer used to read the message. 
      <P>This virus can not send mail on systems running MacOS; however, the 
      virus can be stored on MacOS. 
      <P>Next, the macro virus sets the value of the registry key to <B>"... by 
      Kwyjibo"</B>. Setting this registry key causes the virus to only propagate 
      once per session. If the registry key does not persist through sessions, 
      the virus will propagate as described above once per every session when a 
      user opens an infected document. If the registry key persists through 
      sessions, the virus will no longer attempt to propagate even if the 
      affected user opens an infected document. 
      <P>The macro then infects the Normal.dot template file. By default, all 
      Word documents utilize the Normal.dot template; thus, any newly created 
      Word document will be infected. Because unpatched versions of Word97 may 
      trust macros in templates the virus may execute without warning. For more 
      information please see: 
      <P></P>
      <DT>
      <DD><A 
      href="http://www.microsoft.com/security/bulletins/ms99-002.asp";>http://www.microsoft.com/security/bulletins/ms99-002.asp</A> 

      <P>Finally, if the minute of the hour matches the day of the month at this 
      point, the macro inserts into the current document the message "Twenty-two 
      points, plus triple-word-score, plus fifty points for using all my 
      letters. Game's over. I'm outta here." 
      <P>Note that if you open an infected document with macros disabled and 
      look at the list of macros in this document, neither Word97 nor Word2000 
      list the macro. The code is actually VBA (Visual Basic for Applications) 
      code associated with the "document.open" method. You can see the code by 
      going into the Visual Basic editor. 
      <P>If you receive one of these messages, keep in mind that the message 
      came from someone who is affected by this virus and they are not 
      necessarily targeting you. We encourage you to contact any users from 
      which you have received such a message. Also, we are interested in 
      understanding the scope of this activity; therefore, we would appreciate 
      if you would report any instance of this activity to us according to our 
      Incident Reporting Guidelines document available at: 
      <P></P>
      <DT>
      <DD><A 
      href="http://www.cert.org/tech_tips/incident_reporting.html";>http://www.cert.org/tech_tips/incident_reporting.html</A> 

      <H1>II. Impact</H1>
      <UL>
        <LI>Users who open an infected document in Word97 or Word2000 with 
        macros enabled will infect the Normal.dot template causing any documents 
        referencing this template to be infected with this macro virus. If the 
        infected document is opened by another user, the document, including the 
        macro virus, will propagate. Note that this could cause the user's 
        document to be propagated instead of the original document, and thereby 
        leak sensitive information. 
        <P></P>
        <LI>Indirectly, this virus could cause a denial of service on mail 
        servers. Many large sites have reported performance problems with their 
        mail servers as a result of the propagation of this virus. </LI></UL>
      <H1>III. Solutions</H1>
      <UL>
        <LI>
        <H2>Block messages with the signature of this virus at your mail 
        transfer agents or other central point of control.</H2>
        <UL>
          <LI>
          <H3>With Sendmail</H3>
          <P>Nick Christenson of sendmail.com provided information about 
          configuring sendmail to filter out messages that may contain the 
          Melissa virus. This information is available from the follow URL: 
          <P>
          <DT>
          <DD><A 
          href="http://www.sendmail.com/blockmelissa.html";>http://www.sendmail.com/blockmelissa.html</A> 

          <P></P></DD>
          <LI>
          <H3>With John Hardin's Procmail security filter package</H3>More 
          information is available from: 
          <P>
          <DT>
          <DD><A 
          href="ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html";>ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html</A> 

          <P></P></DD>
          <LI>
          <H3>With Innosoft's PMDF</H3>More information is available from: 
          <P>
          <DT>
          <DD><A 
          href="http://www.innosoft.com/iii/pmdf/virus-word-emergency.html";>http://www.innosoft.com/iii/pmdf/virus-word-emergency.html</A> 

          <P></P></DD></LI></UL>
        <LI>
        <H2>Utilize virus scanners</H2>Most virus scanning tools will detect and 
        clean macro viruses. In order to detect and clean current viruses you 
        must keep your scanning tools up to date with the latest definition 
        files. 
        <P>
        <UL>
          <LI>
          <H3>Computer Associates</H3>Virus signature versions that detect and 
          cure melissa virus. 
          <P>
          <TABLE>
            <TBODY>
            <TR>
              <TD>Windows NT 3.x &amp; 4.x</TD>
              <TD>4.19d</TD></TR>
            <TR>
              <TD>Windows 95</TD>
              <TD>4.19e</TD></TR>
            <TR>
              <TD>Windows 98</TD>
              <TD>4.19e</TD></TR>
            <TR>
              <TD>Windows 3.1</TD>
              <TD>4.19e</TD></TR>
            <TR>
              <TD>Netware 3.x, 4.x &amp; 5.0</TD>
              <TD>4.19e</TD></TR></TBODY></TABLE>
          <P>Any of the above virus signatures files can be downloaded at: 
          <DT>
          <DD><A 
          href="http://www.support.cai.com/";>http://www.support.cai.com</A> 
          <P></P></DD>
          <LI>
          <H3>McAfee / Network Associates</H3>
          <DT>
          <DD><A 
          href="http://vil.mcafee.com/vil/vm10118.asp";>http://vil.mcafee.com/vil/vm10118.asp</A> 

          <DD><A 
          href="http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp";>http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp</A> 

          <P></P></DD>
          <LI>
          <H3>Sophos</H3>
          <DT>
          <DD><A 
          href="http://www.sophos.com/downloads/ide/index.html#melissa";>http://www.sophos.com/downloads/ide/index.html#melissa</A> 

          <P></P></DD>
          <LI>
          <H3>Symantec</H3>
          <DT>
          <DD><A 
          href="http://www.symantec.com/avcenter/venc/data/mailissa.html";>http://www.symantec.com/avcenter/venc/data/mailissa.html</A> 

          <P></P></DD>
          <LI>
          <H3>Trend Micro</H3>
          <DT>
          <DD><A 
          href="http://housecall.antivirus.com/smex_housecall/technotes.html";>http://housecall.antivirus.com/smex_housecall/technotes.html</A> 

          <P>
          <P></P></DD></LI></UL>
        <LI>
        <H2>Encourage users at your site to disable macros in Microsoft 
        Word</H2>Notify all of your users of the problem and encourage them to 
        disable macros in Word. You may also wish to encourage users to disable 
        macros in any product that contains a macro language as this sort of 
        problem is not limited to Microsoft Word. 
        <P>In Word97 you can disable automatic macro execution (click 
        Tools/Options/General then turn on the 'Macro virus protection' 
        checkbox). In Word2000 macro execution is controlled by a security level 
        variable similar to Internet Explorer (click on Tools/Macro/Security and 
        choose High, Medium, or Low). In that case, 'High' silently ignores the 
        VBA code, Medium prompts in the way Word97 does to let you enable or 
        disable the VBA code, and 'Low' just runs it. 
        <P>Word2000 supports Authenticode on the VB code. In the 'High' setting 
        you can specify sites that you trust and code from those sites will run. 

        <P></P>
        <LI>
        <H2>General protection from Word Macro Viruses</H2>For information about 
        macro viruses in general, we encourage you to review the document "Free 
        Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at. 
        <P>
        <DT>
        <DD><A 
        href="http://www.nai.com/services/support/vr/free.asp";>http://www.nai.com/services/support/vr/free.asp</A> 

        <P></P></DD></LI></UL>
      <H3>Additional Information</H3>
      <UL>
        <LI>For more information about the Melissa virus please see the Melissa 
        Virus FAQ (Frequently Asked Questions) document available at: 
        <P>
        <DT>
        <DD><A 
        href="http://www.cert.org/tech_tips/Melissa_FAQ.html";>http://www.cert.org/tech_tips/Melissa_FAQ.html</A> 

        <P></P></DD>
        <LI>We have received a number of reports from people confusing the 
        Happy99.exe Trojan Horse with the Melissa virus. For more information 
        about Happy99.exe please see: 
        <DT>
        <DD><A 
        href="http://www.cert.org/incident_notes/IN-99-02.html";>http://www.cert.org/incident_notes/IN-99-02.html</A> 

        <P></P></DD>
        <LI>The Department of Energy's Computer Incident Advisory Capability 
        (CIAC) has published several documents that you may wish to examine. 
        These are available at available at 
        <P>
        <DT>
        <DD><A 
        href="http://www.ciac.org/ciac/bulletins/j-037.shtml";>http://www.ciac.org/ciac/bulletins/j-037.shtml</A> 
        <BR>
        <DT>
        <DD><A 
        href="http://ciac.llnl.gov/ciac/bulletins/i-023.shtml";>http://ciac.llnl.gov/ciac/bulletins/i-023.shtml</A> 

        <P></P></DD>
        <LI>Microsoft Corporation has published information about this macro 
        virus. Their document is available from: 
        <P>
        <DT>
        <DD><A 
        href="http://officeupdate.microsoft.com/articles/macroalert.htm";>http://officeupdate.microsoft.com/articles/macroalert.htm</A> 

        <P></P></DD></LI></UL>
      <H3>Acknowledgements</H3>We would like to thank Jimmy Kuo of Network 
      Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader 
      of Trend Micro, Jason Garms and Karan Khanna of Microsoft, Ned Freed of 
      Innosoft, and John Hardin for providing information used in this advisory. 

      <P>Additionally we would like to thank the many sites who reported this 
      activity. 
      <P>
      <HR noShade width="100%">
      This document is available from: <A 
      href="http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html";>http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html</A>. 

      <HR noShade width="100%">

      <H2>CERT/CC Contact Information</H2>
      <DL><B>Email:</B> <A 
        href="mailto:cert@xxxxxxxx";>cert@xxxxxxxx</A><BR><B>Phone:</B> +1 
        412-268-7090 (24-hour hotline)<BR><B>Fax:</B> +1 
        412-268-6989<BR><B>Postal address:</B><BR>
        <DD>CERT Coordination Center<BR>Software Engineering 
        Institute<BR>Carnegie Mellon University<BR>Pittsburgh PA 
        15213-3890<BR>U.S.A.<BR></DD></DL>CERT personnel answer the hotline 
      08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on 
      call for emergencies during other hours, on U.S. holidays, and on 
      weekends. 
      <P>
      <H4>Using encryption</H4>
      <P>We strongly urge you to encrypt sensitive information sent by email. 
      Our public PGP key is available from <A 
      href="http://www.cert.org/CERT_PGP.key";>http://www.cert.org/CERT_PGP.key</A>. 
      If you prefer to use DES, please call the CERT hotline for more 
      information. 
      <H4>Getting security information</H4>CERT publications and other security 
      information are available from our web site <A 
      href="http://www.cert.org/";>http://www.cert.org/</A>. 
      <P>To be added to our mailing list for advisories and bulletins, send 
      email to <A 
      href="mailto:cert-advisory-request@xxxxxxxx";>cert-advisory-request@xxxxxxxx</A> 
      and include <TT>SUBSCRIBE your-email-address</TT> in the subject of your 
      message. 
      <P>Copyright 1999 Carnegie Mellon University.<BR>Conditions for use, 
      disclaimers, and sponsorship information can be found in <A 
      href="http://www.cert.org/legal_stuff.html";>http://www.cert.org/legal_stuff.html</A>. 

      <P>* "CERT" and "CERT Coordination Center" are registered in the U.S. 
      Patent and Trademark Office 
      <HR noShade width="100%">
      <B><U>NO WARRANTY</U></B><BR><B>Any material furnished by Carnegie Mellon 
      University and the Software Engineering Institute is furnished on an "as 
      is" basis. Carnegie Mellon University makes no warranties of any kind, 
      either expressed or implied as to any matter including, but not limited 
      to, warranty of fitness for a particular purpose or merchantability, 
      exclusivity or results obtained from use of the material. Carnegie Mellon 
      University does not make any warranty of any kind with respect to freedom 
      from patent, trademark, or copyright infringement.</B> 
      <HR width="100%">
      Revision History 
      <P>
      <TABLE>
        <TBODY>
        <TR>
          <TD>March 28, 1999:</TD>
          <TD>Changed the reference to the sendmail patches from ftp.cert.org 
            to www.sendmail.com. Added information for Innosoft, Sophos, and 
            John Hardin's procmail filter kit.</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Formatting changes</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Added information for Computer Associates</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Fixed a broken link</TD></TR>
        <TR>
          <TD>March 29, 1999:</TD>
          <TD>Added a link to information at Microsoft, added a link to 
            information about Happy99.exe, added information about MacOS, and 
            clairfied that only MS Outlook MAPI address books are 
involved.</TD></TR>
        <TR>
          <TD>March 31, 1999:</TD>
          <TD>Added links to the Melissa FAQ</TD></TR></TBODY></TABLE><!-- This completes the table started in *_titlebar.html --></P></DD></SMALL></FONT></TD></TR></TBODY></TABLE></DIV></DIV></BODY></HTML>
</x-html>From ???@??? Mon Apr 05 06:40:00 1999
X-Persona: <Fibtrader>
Received: from www36.hway.net (207.158.192.116)
	by mail02.rapidsite.net (RS ver 1.0.2) with SMTP id 15207
	for <list@xxxxxxxxxxxxx>; Mon,  5 Apr 1999 01:51:08 -0400 (EDT)
Received: (from fibtra@xxxxxxxxx)
	by www36.hway.net (8.9.1a/8.9.1) id BAA31005;
	Mon, 5 Apr 1999 01:51:08 -0400 (EDT)
Date: Mon, 5 Apr 1999 01:51:08 -0400 (EDT)
Message-Id: <199904050551.BAA31005@xxxxxxxxxxxxxx>
To: list@xxxxxxxxxxxxx
From: list@xxxxxxxxxxxxx
Subject: Your FREE CD Request.
X-Loop-Detect: 1
X-UIDL: 5357a156d1ed45e1f26fb43a8f261b8e.01


Data from input form.

Name            : Don Kushnir
Company         : Retired
Address         :  39 Lake Linnet Close S.E.
City            : Calgary
State           : Alberta
ZIP/Postal code : T2J 2H9
Country         : Canada
Telephone number: 403-278-1692
Email           : dkushnir@xxxxxxxxxxxxx