Re: Melissa Macro Virus

From: Rodefeld, Sonja (Sonja.Rodefeldat_private)
Date: Wed Mar 31 1999 - 07:18:21 PST

Next message: Roman Drahtmueller: "Re: Bug in xfs"

Previous message: Alan Cox: "Re: Bug in xfs"
Maybe in reply to: Aleph One: "Melissa Macro Virus"
Next in thread: Dimitry Andric: "Re: Melissa Macro Virus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>From my research on Melissa, in a nutshell,  (although not totally
exhaustive by any  means and please correct me if I am wrong), Melissa
infects normal.dot with the macro.  The macro also disables the ability to
view that the virus macro is present in the .dot file.  Once normal.dot is
infected by the original virus document (by whatever name - list.doc,
iminfected.doc), and a new document is CREATED using that template (not
OPENED) is now infected.  And once this "new" document is opened by an
"outlook" person the whole thing starts all over with the new document being
sent out...  If a document is OPENED and was created using an uninfected
"normal.dot" than it is "OK". I have seen instances where list.doc started
it and then it changed over to send out other documents.

The only problem I see with making normal.dot to read-only is that in many
cases users DO need to make changes to the norml.dot.  So it then becomes a
functionality issue which must be balanced against security.  I have in the
past made changes to normal.dot because of repetitiveness in my ocuments
(headings, footers, etc..). But I could also work around this by creating a
completely new template under a different name) to work off of and thus
never have to change the normal.dot template.


-----Original Message-----
From: Brett Glass [mailto:brettat_private]
Sent: Wednesday, March 31, 1999 12:30 AM
To: BUGTRAQat_private
Subject: Re: Melissa Macro Virus


Melissa doesn't just infect NORMAL.DOT. It also infects anything you open
after you've opened the infected document. Read the code....

--Brett

At 02:10 PM 3/30/99 +0200, Bronek Kozicki wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>There is another kind of protection (and I used it sucesfully in my network
>for last few months). Just set NORMAL.DOT read only attribute. When exiting
>Word user will be warned with message "unable to save modified Normal.dot"
-
>he/she then comes to support, and then we know that we have problem. Of
>course - normal.dot is placed in user's profile. This is pretty simple kind
>of protection against macro-viruses in Word.
>
>
>Bronek Kozicki
>
>- --------------------------------------------------
>ICQ UID: 25404796            PGP KeyID: 0x4A30FA9A
>07EE 10E6 978C 6B33 5208  094E BD61 9067 4A30 FA9A

Next message: Roman Drahtmueller: "Re: Bug in xfs"
Previous message: Alan Cox: "Re: Bug in xfs"
Maybe in reply to: Aleph One: "Melissa Macro Virus"
Next in thread: Dimitry Andric: "Re: Melissa Macro Virus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:08 PDT