The one thing I would like to add is that the virus code actually walks through every available address list and grabs 50 recipients off of each for a separate message, so if your Outlook client is attached to an Exchange Server, it will hit the Global Address List and other available containers, where it may find large distribution lists. I will shortly have my analysis up at http://securityportal.com/ Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavisat_private -----Original Message----- From: Kuo, Jimmy [mailto:Jimmy_Kuoat_private] Sent: Friday, March 26, 1999 7:01 PM To: BUGTRAQat_private Subject: Re: Melissa Macro Virus Nate Lawson does a wonderful writeup to which I will make minor clarifications: >Here is my analysis of how the virus works. The McAfee article aleph1 >posted neglects to mention that it infects the active document and >Normal.dot [Hide face] In all the clamor over the spreading aspect, we forgot to tell people that it's a normal macro virus in all other means. And that if you don't have Outlook, breath calm. But if you do have Outlook, WATCH OUT! "infects the active document" is redundant. It's infected. That's what starts this. >1. Check for Word security controls and disable them: > Word 2000 > Macro.Security... = FALSE > Word 97 > Options.ConfirmConversions = 0 > Options.VirusProtection = 0 > Options.SaveNormalPrompt = 0 >2. See if machine is already infected > Check HKCU\Software\Microsoft\Office\Melissa? for the string "... by >Kwyjibo" >3. If it wasn't already infected, go through the Outlook addressbook and >send mail to the first 50 names First 50 names of every addressbook. And the kicker? Look at the first 50 names in your address books? How many mailing lists are there? > Subject: Important Message From <Full Name> > Body: Here is that document you asked for... don't show anyone else >;-) > Attachment: itself, named "list.doc" This time. We have discovered that it was posted to alt.sex in a file named LIST.ZIP. > After sending the mail, add the registry key to disable further >infection. Disables future mailings. Infections can happen again. But the email blast will happen only the first time, unless you clean the registry. So we recommend that you do not remove that element of the registry. >4. Open the Active Document and Normal.dot and infect them with itself >5. On the way out, check if the current day equals the current minute. >If so, print "Twenty-two points, plus triple-word-score, plus fifty points >for using all my letters. Game's over. I'm outta here." >It does not appear to do anything malicious other than shutting down your >mail server with tons of mail as users start opening the attachment. It >appears the virus vendors have a patch out now. To avoid infection, >disable macros when opening any Word document or just don't open the >attachment. Thanks to Josh Siegel for sending me the code. Good ideas. Jimmy Kuo Director, AV Research, Network Associates (or as he says, McAfee) jkuoat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:35 PDT