lisa b (lisb@shaw.wave.ca)
Mon, 29 Mar 1999 22:14:39 -0500
Hey guys, hope everyone had a nice weekend. In the Toronto Star today and
Globe there is coverage on a virus called Melissa. I also received a note
below from Bill Samagalsky who works for NAI (the people who make Mcafee
and Dr. Solomon). This virus has a lot of potential to be destructive.
Usually I'm a pessimist when it comes to this stuff but my Vice President
just put it as priority one on my list.
This one is getting a lot of press. We need to stay on top of this.
---- Forwarded by Keith Parsons/IS_TS/TSE on 29/03/99 06:11 AM ----
To:
cc: (bcc: Keith Parsons/IS_TS/TSE)
Subject: VIRUS ALERT - NAI AVERT Labs discovers Melissa Virus.
VIRUS ALERT: W97M/Melissa
Melissa is a Word 97 Class Module Macro virus that can also be upconverted
to a Word 2000 Macro Virus. It was first discovered by NAI's Dr Solomon's
VirusPatrol on the alt.sex newgroup on March 26. The virus has spread
rapidly around the world, and has infected thousands
Symptom The virus can infect a system by being received from another
infected user via Outlook. This appears to be the most common method of
infection. Users will not know they have been infected, nor will the sender
know the document has been sent. A user may become alerted to the infected
document if the Macro Security settings are enabled. This warning will be
displayed to the user when the document is opened.
For details on this new virus please go to the following NAI web-page:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
Pathology When the infected document is opened, the virus checks for a
setting in the registry to test if the system has already been infected.
If the system hasn't been infected, the virus creates an entry in the
registry: HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by
Kwyjibo"
(If this key exists the email process will not execute, the virus will
still infect. AVERT advises that it not be removed.)
(As a preventive message you can create this registry key to prevent the
virus from launching) This virus also creates an Outlook object using
Visual Basic instructions and reads the list of members from Outlook Global
Address Book. An email message is created and sent to the first 50
recipients programmatically all the address books, one at a time. The
message is created with the subject "Important Message From - <User Name>"
The message body of text reads "Here is that document you asked for ...
don't show anyone else ;-)". The active infected document is attached and
the email is sent. The most prevalent document being seen is one called
List.DOC, however this is NOT the only document that can be sent or
received. Once the system is infected
all documents that are opened are infected. As any document can be sent, a
user that receives the infected document, who hasn't been infected, can
become infected with this document, and the process will continue. The
virus does have a payload. If the day equals the minute value, and the
infected document is opened this text is inserted at the current cursor
position: " Twenty-two points, plus triple-word-score, plus fifty points
for using all my letters. Game's over. I'm outta here." This virus checks
for low security in Office2000 by checking the value from the registry; if
the value
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level" is
not null, the virus will disable the "MACRO/SECURITY" menu option.
Otherwise Word97 menu option "TOOLS/MACRO" is disabled. Comments inside the
macro virus include: 'WORD/Melissa written by Kwyjibo 'Works in both Word
2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You
Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! Cure For
detection and cleaning, use the following combinations ONLY! VirusScan 3
requires engine 3.2.2 + hourly .DAT
<ftp://ftp.nai.com/pub/antivirus/engine/eng322sp.zip>
<http://www.avertlabs.com/public/datafiles/3xupdates.asp>
VirusScan 4.0.x + 4019 .DAT
http://www.avertlabs.com/public/datafiles/extra_drivers.asp
<http://www.avertlabs.com/public/datafiles/4xupdates.asp>
Toolkit 7 requires engine Special Edition 7.93 + extra.drv
<http://www.avertlabs.com/public/datafiles/7xupdates.asp>
<http://www.avertlabs.com/public/datafiles/extra_drivers.asp>
Bill Samagalsky
Major Accounts Manager
Network Associates Inc.
phone:(905) 479-4189 ext. 223 fax:(905) 479-4540 email:
bill_samagalsky@nai.com
CLEAR TEXT - PGP SIGNED!
"Communicating with the Knowledge and Comfort that...
This message came from...
A TRUSTED SOURCE & ARRIVED IN IT'S ORIGINAL FORM."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Liezel Adolfo, Data Engineering Team
Harris Media Systems Ltd, Toronto, Canada
(416) 487-2111 ext. 275 Fax (416) 487-2119
email: liezel@intermedia.ca
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2.0b3 on Tue Mar 30 1999 - 05:27:48 MET DST