>From my research on Melissa, in a nutshell, (although not totally exhaustive by any means and please correct me if I am wrong), Melissa infects normal.dot with the macro. The macro also disables the ability to view that the virus macro is present in the .dot file. Once normal.dot is infected by the original virus document (by whatever name - list.doc, iminfected.doc), and a new document is CREATED using that template (not OPENED) is now infected. And once this "new" document is opened by an "outlook" person the whole thing starts all over with the new document being sent out... If a document is OPENED and was created using an uninfected "normal.dot" than it is "OK". I have seen instances where list.doc started it and then it changed over to send out other documents. The only problem I see with making normal.dot to read-only is that in many cases users DO need to make changes to the norml.dot. So it then becomes a functionality issue which must be balanced against security. I have in the past made changes to normal.dot because of repetitiveness in my ocuments (headings, footers, etc..). But I could also work around this by creating a completely new template under a different name) to work off of and thus never have to change the normal.dot template. -----Original Message----- From: Brett Glass [mailto:brettat_private] Sent: Wednesday, March 31, 1999 12:30 AM To: BUGTRAQat_private Subject: Re: Melissa Macro Virus Melissa doesn't just infect NORMAL.DOT. It also infects anything you open after you've opened the infected document. Read the code.... --Brett At 02:10 PM 3/30/99 +0200, Bronek Kozicki wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >There is another kind of protection (and I used it sucesfully in my network >for last few months). Just set NORMAL.DOT read only attribute. When exiting >Word user will be warned with message "unable to save modified Normal.dot" - >he/she then comes to support, and then we know that we have problem. Of >course - normal.dot is placed in user's profile. This is pretty simple kind >of protection against macro-viruses in Word. > > >Bronek Kozicki > >- -------------------------------------------------- >ICQ UID: 25404796 PGP KeyID: 0x4A30FA9A >07EE 10E6 978C 6B33 5208 094E BD61 9067 4A30 FA9A
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:08 PDT