[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-team] FW: CERT Advisory CA-99.04 - Melissa Macro Virus
Pour ceux qui veulent avoir des details sur le virus Melissa ... voici une
description detaillee.
De toute facon, cela ne s'attaque qu'aux utilisateurs d'Outlook ou Exchange
qui utilisent Word97 (ou 2000) comme editeur. Cela ne devrait pas trop
affecter les utilisateurs de Linux quoi ;-)
PS: J'ai lu sur Slashdot que la police Americaine avait arrete un suspect
(habitant du New Jersey).
Olivier
----------
From: CERT Advisory [SMTP:cert-advisory@cert.org]
<mailto:[SMTP:cert-advisory@cert.org]>
Sent: Saturday, 27 Mar, 1999 13:05
To: cert-advisory@coal.cert.org <mailto:cert-advisory@coal.cert.org>
Subject: CERT Advisory CA-99.04 - Melissa Macro Virus
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-04-Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999
Systems Affected
* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance problems or a
denial of service as a result of the propagation of this macro virus.
Overview
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we
began receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety of
reports we have received indicate that this is a widespread attack affecting
a variety of sites.
Our analysis of this macro virus indicates that human action
(in the form of a user opening an infected Word document) is required for
this virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected document
received in the form of an email attachment. This macro virus is not known
to exploit any new vulnerabilities. While the primary transport mechanism of
this virus is via email, any way of transferring files can also propagate
the virus.
Anti-virus software vendors have called this macro virus the
Melissa macro or W97M_Melissa virus.
I. Description
The Melissa macro virus propagates in the form of an
email message
containing an infected Word document as an
attachment. The transport
message has most frequently been reported to contain
the following
Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the
message.
The body of the message is a multipart MIME message
containing two sections. The first section of the message (Content-Type:
text/plain) contains the following text.
Here is that document you asked for ... don't show anyone
else ;-)
The next section (Content-Type: application/msword)
was initially
reported to be a document called "list.doc". This
document contains
references to pornographic web sites. As this macro
virus spreads we
are likely to see documents with other names. In
fact, under certain
conditions the virus may generate attachments with
documents created
by the victim.
When a user opens an infected .doc file with Microsoft
Word97 or Word2000, the macro virus is immediately executed if macros are
enabled.
Upon execution, the virus first lowers the macro security
settings to permit all macros to run when documents are opened in the
future. Therefore, the user will not be notified when the virus is executed
in the future.
The macro then checks to see if the registry key
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does
not exist or does not have a value of "... by Kwyjibo", the virus proceeds
to propagate itself by sending an email message in the format described
above to the first 50 entries in every MAPI address book readable by the
user executing the macro. Keep in mind that if any of these email addresses
are mailing lists, the message will be delivered to everyone on the mailing
lists. In order to successfully propagate, the affected machine must have
Microsoft Outlook installed; however, Outlook does not need to be the mailer
used to read the message.
Next, the macro virus sets the value of the registry key to
"... by Kwyjibo". Setting this registry key causes the virus to only
propagate once per session. If the registry key does not persist through
sessions, the virus will propagate as described above once per every session
when a user opens an infected document. If the registry key persists through
sessions, the virus will no longer attempt to propagate even if the affected
user opens an infected document.
The macro then infects the Normal.dot template file. By
default, all Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions of Word97
may trust macros in templates the virus may execute without warning. For
more information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
<http://www.microsoft.com/security/bulletins/ms99-002.asp>
Finally, if the minute of the hour matches the day of the
month at this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for using all
my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros
disabled and look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You can see
the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the
message came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from which
you have received such a message. Also, we are interested in understanding
the scope of this activity; therefore, we would appreciate if you would
report any instance of this activity to us according to our Incident
Reporting Guidelines document available at:
http://www.cert.org/tech_tips/incident_reporting.html
<http://www.cert.org/tech_tips/incident_reporting.html>
II. Impact
* Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any documents
referencing this template to be infected with this macro virus. If the
infected document is opened by another user, the document, including the
macro virus, will propagate. Note that this could cause the user's document
to be propagated instead of the original document, and thereby leak
sensitive information.
* Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems with their mail
servers as a result of the propagation of this virus.
III. Solutions
* Block messages with the signature of this virus at your mail
transfer agents.
With Sendmail
Nick Christenson of sendmail.com provided
information about configuring sendmail to filter out messages that may
contain the Melissa virus. This information is available from the follow
URL:
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
<ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m>
elissa-filter.txt
* Utilize virus scanners
Most virus scanning tools will detect and clean macro
viruses. In order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.
* McAfee / Network Associates
http://vil.mcafee.com/vil/vm10120.asp
<http://vil.mcafee.com/vil/vm10120.asp>
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
<http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp>
* Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html
<http://www.symantec.com/avcenter/venc/data/mailissa.html>
* Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
<http://housecall.antivirus.com/smex_housecall/technotes.html>
* Encourage users at your site to disable macros in Microsoft Word
Notify all of your users of the problem and
encourage them to disable macros in Word. You may also wish to encourage
users to disable macros in any product that contains a macro language as
this sort of problem is not limited to Microsoft Word.
In Word97 you can disable automatic macro execution
(click Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a security level
variable similar to Internet Explorer (click on Tools/Macro/Security and
choose High, Medium, or Low). In that case, 'High' silently ignores the VBA
code, Medium prompts in the way Word97 does to let you enable or disable the
VBA code, and 'Low' just runs it.
Word2000 supports Authenticode on the VB code. In
the 'High' setting you can specify sites that you trust and code from those
sites will run.
* General protection from Word Macro Viruses
For information about macro viruses in general, we
encourage you to review the document "Free Macro AntiVirus Techniques" by
Chengi Jimmy Kuo which is available at.
http://www.nai.com/services/support/vr/free.asp
<http://www.nai.com/services/support/vr/free.asp>
Acknowledgements
We would like to thank Jimmy Kuo of Network Associates, Eric
Allman and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro,
and Jason Garms and Karan Khanna of Microsoft for providing information used
in this advisory.
Additionally we would like to thank the many sites who
reported this activity.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
<http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html> .
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org <mailto:cert@cert.org>
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies during
other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent
by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key <http://www.cert.org/CERT_PGP.key> . If
you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are
available from our web site http://www.cert.org/ <http://www.cert.org/> .
To be added to our mailing list for advisories and
bulletins, send email to cert-advisory-request@cert.org
<mailto:cert-advisory-request@cert.org> and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information
can be found in http://www.cert.org/legal_stuff.html
<http://www.cert.org/legal_stuff.html> .
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of fitness
for a particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
______________________________________________________________________
Revision History
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
bZ6Ef5jPilA=
ªBH
-----END PGP SIGNATURE-----
---------
This message was sent by Majordomo 1.94.3. Please repport problems to
manu@rtfm.be. If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.