Computer underground Digest Tue Mar 30 1999 Volume 11 : Issue 20

Computer underground Digest    Tue  30 Mar, 2099   Volume 11 : Issue 20
                           ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Shopping Editor:   Etaion Shrdlu, 3-sticks
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #11.20 (Tue, 30 Mar, 2099)

File 1--Melissa
File 2--CERT's Melissa Advisory
File 3--Microsoft's Melissa Alert
File 4--Dangers of Universal Platforms (ZDNet Excerpt)
File 5--Melissa Creator may be Unovered (ZDNet Excerpt)
File 6--Cu Digest Header Info (unchanged since 10 Jan, 1999)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
         TO UNSUB, SEE ADMINISTRAVIA IN CONCLUDING FILE

---------------------------------------------------------------------

Date: Sun, 28 Mar 1999 16:59:21 -0800
From: Jean-Bernard Dahmoune 
Subject: File 1--Melissa

SAN FRANCISCO (Reuters) - A virus that spreads a list of pornography sites
via e-mail hit computers over the weekend and threatened havoc Monday as
workers return to offices and begin opening messages sent over the Internet.

The virus, called ``Melissa,'' comes in the form of a document that lists
pornography sites on the World Wide Web.
Computer experts said the virus was aimed at widely used Microsoft
Windows-based e-mail address book software, Outlook and Outlook Express, and
it can send up to 50 additional versions of the e-mail to other users,
threatening a widespread infection of computer systems.
That could create a flood of unwanted e-mails around the Internet as the
program perpetuates itself using pre-programmed ''macros,'' software
embedded in the Windows operating system that sets off complex computer
functions with one command.
``It could grow explosively and shut down e-mail systems as a side effect,''
Eric Allman, co-founder of the Emeryville, Calif.-based Sendmail, a widely
used provider of e-mail services, said in an interview Sunday.
A number of leading software security firms and academic experts posted
warnings about the e-mail threat, including Network Associates, the leading
anti-virus software maker.
``Melissa is widely reported and spreading quickly via mass e-mail, a
function of the viral infection,'' said Network Associates based in Santa
Clara, Calif.
Carnegie Mellon University's Software Engineering Institute issued an
advisory, which said, ``The number and variety of reports we have received
indicate that this is a widespread attack affecting a variety of sites.''
The only damage the virus causes is that it replicates itself and creates a
flood of e-mail, though it apparently does not hurt the computer itself,
experts said.
The real danger is that the virus will overwhelm the server computers that
handle computer messaging systems, which could lead to system shutdowns as
each e-mail multiplies itself 50 times. Already, a wave of the e-mails has
been sent out and awaits office workers Monday morning.
``It's not doing malicious things or removing files or anything like that,''
Allman said. ``I've heard claims that it has been doing more but I haven't
seen any substantial verification of that. It's really more of a wake-up
call, that shows us how you could take a malicious virulent virus and
reproduce it all over the place very quickly.''
Computer experts warned users to be wary of documents sent from any senders
asking them to open up a file for Microsoft Word. That file, in turn, asks
for a prompt asking users whether they want to initiate a ``macro,'' and
requires users to approve its use. Those checkoffs make it relatively easy
to avoid the problem.
Microsoft itself has simply warned users to ``be careful about what runs on
their machine,'' the New York Times reported. Carnegie Mellon said, ``our
analysis indicates that human action (in the form of a user opening an
infected Word document) is required for this virus to activate.''
The virus can be identified, Network Associates said, because it will read
``Important Message From Application.UserName.'' The body of the text reads
``Here is that document you asked for ... don't show anyone else'' and
contains a list of pornographic Web sites.
Melissa creates the following entry in the registry:
HKEYCURRENTUSER/Software/Microsoft/Office/''Melissa?''
Network Security said that to avoid the risk of contracting the Melissa
virus, ``it is recommended that network administrators and users upgrade
their anti-virus software to include detection and cleaning for
W97M/Melissa.''
Network Security posted information about the virus on its the Web site of
its Avert Labs division (), Sendmail also posted
advice on the Melissa problem at  and Carnegie
Mellon posted information on its site as well ().
Computer experts said that if advisories were followed, the problem would
probably not become a widespread worry.
``I suspect we'll see a day or two of extremely high e-mail loads and then
it will just die out, so in some sense this virus is not that critical but
it's one what demonstrates what could happen if a truly malicious virus were
released,'' Sendmail's Allman said. ``The ability to spread something so
broadly is scary.''

------------------------------

Date: Tue, 30 Mar 1999 11:57:12 -0600 (CST)
From: Jim Thomas 
Subject: File 2--CERT's Melissa Advisory

(CuD MODERATORS' NOTE: By now, the Melissa virus is old news.
But, for those who missed it, here is the original CERT
advisory)).

Source:  http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

   The CERT/CC is part of the Software Engineering Institute at Carnegie
   Mellon University CERT/CC Alerts

   CERT Coordination Center

CERT Advisory CA-99-04-Melissa-Macro-Virus

   Original issue date: Saturday March 27 1999
   Last Revised: 7:00 PM GMT-5 Monday March 29, 1999

Systems Affected

     * Machines with Microsoft Word 97 or Word 2000
     * Any mail handling system could experience performance problems or
       a denial of service as a result of the propagation of this macro
       virus.

Overview

   At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
   receiving reports of a Microsoft Word 97 and Word 2000 macro virus
   which is propagating via email attachments. The number and variety of
   reports we have received indicate that this is a widespread attack
   affecting a variety of sites.

   Our analysis of this macro virus indicates that human action (in the
   form of a user opening an infected Word document) is required for this
   virus to propagate. It is possible that under some mailer
   configurations, a user might automatically open an infected document
   received in the form of an email attachment. This macro virus is not
   known to exploit any new vulnerabilities. While the primary transport
   mechanism of this virus is via email, any way of transferring files
   can also propagate the virus.

   Anti-virus software vendors have called this macro virus the Melissa
   macro or W97M_Melissa virus.

I. Description

   The Melissa macro virus propagates in the form of an email message
   containing an infected Word document as an attachment. The transport
   message has most frequently been reported to contain the following
   Subject header

Subject-- Important Message From 

   Where  is the full name of the user sending the message.

   The body of the message is a multipart MIME message containing two
   sections. The first section of the message (Content-Type: text/plain)
   contains the following text.

Here is that document you asked for ... don't show anyone else ;-)

   The next section (Content-Type: application/msword) was initially
   reported to be a document called "list.doc". This document contains
   references to pornographic web sites. As this macro virus spreads we
   are likely to see documents with other names. In fact, under certain
   conditions the virus may generate attachments with documents created
   by the victim.

   When a user opens an infected .doc file with Microsoft Word97 or
   Word2000, the macro virus is immediately executed if macros are
   enabled.

   Upon execution, the virus first lowers the macro security settings to
   permit all macros to run when documents are opened in the future.
   Therefore, the user will not be notified when the virus is executed in
   the future.

   The macro then checks to see if the registry key

   "HKEY_Current_User\Software\Microsoft\Office\Melissa?"

   has a value of "... by Kwyjibo". If that registry key does not exist
   or does not have a value of "... by Kwyjibo", the virus proceeds to
   propagate itself by sending an email message in the format described
   above to the first 50 entries in every Microsoft Outlook MAPI address
   book readable by the user executing the macro. Keep in mind that if
   any of these email addresses are mailing lists, the message will be
   delivered to everyone on the mailing lists. In order to successfully
   propagate, the affected machine must have Microsoft Outlook installed;
   however, Outlook does not need to be the mailer used to read the
   message.

   This virus can not send mail on systems running MacOS; however, the
   virus can be stored on MacOS.

   Next, the macro virus sets the value of the registry key to "... by
   Kwyjibo". Setting this registry key causes the virus to only propagate
   once per session. If the registry key does not persist through
   sessions, the virus will propagate as described above once per every
   session when a user opens an infected document. If the registry key
   persists through sessions, the virus will no longer attempt to
   propagate even if the affected user opens an infected document.

   The macro then infects the Normal.dot template file. By default, all
   Word documents utilize the Normal.dot template; thus, any newly
   created Word document will be infected. Because unpatched versions of
   Word97 may trust macros in templates the virus may execute without
   warning. For more information please see:

   http://www.microsoft.com/security/bulletins/ms99-002.asp

   Finally, if the minute of the hour matches the day of the month at
   this point, the macro inserts into the current document the message
   "Twenty-two points, plus triple-word-score, plus fifty points for
   using all my letters. Game's over. I'm outta here."

   Note that if you open an infected document with macros disabled and
   look at the list of macros in this document, neither Word97 nor
   Word2000 list the macro. The code is actually VBA (Visual Basic for
   Applications) code associated with the "document.open" method. You can
   see the code by going into the Visual Basic editor.

   If you receive one of these messages, keep in mind that the message
   came from someone who is affected by this virus and they are not
   necessarily targeting you. We encourage you to contact any users from
   which you have received such a message. Also, we are interested in
   understanding the scope of this activity; therefore, we would
   appreciate if you would report any instance of this activity to us
   according to our Incident Reporting Guidelines document available at:

   http://www.cert.org/tech_tips/incident_reporting.html

II. Impact

     * Users who open an infected document in Word97 or Word2000 with
       macros enabled will infect the Normal.dot template causing any
       documents referencing this template to be infected with this macro
       virus. If the infected document is opened by another user, the
       document, including the macro virus, will propagate. Note that
       this could cause the user's document to be propagated instead of
       the original document, and thereby leak sensitive information.
     * Indirectly, this virus could cause a denial of service on mail
       servers. Many large sites have reported performance problems with
       their mail servers as a result of the propagation of this virus.

III. Solutions

     *

Block messages with the signature of this virus at your mail transfer agent=
s
or other central point of control.
          +

With Sendmail
            Nick Christenson of sendmail.com provided information about
            configuring sendmail to filter out messages that may contain
            the Melissa virus. This information is available from the
            follow URL:
        http://www.sendmail.com/blockmelissa.html
          +

With John Hardin's Procmail security filter package
            More information is available from:
        ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.ht
            ml
          +

With Innosoft's PMDF
            More information is available from:
        http://www.innosoft.com/iii/pmdf/virus-word-emergency.html
     *

Utilize virus scanners
       Most virus scanning tools will detect and clean macro viruses. In
       order to detect and clean current viruses you must keep your
       scanning tools up to date with the latest definition files.
          +

Computer Associates
            Virus signature versions that detect and cure melissa virus.

   Windows NT 3.x & 4.x 4.19d
   Windows 95 4.19e
   Windows 98 4.19e
   Windows 3.1 4.19e
   Netware 3.x, 4.x & 5.0 4.19e
            Any of the above virus signatures files can be downloaded at:
        http://www.support.cai.com
          +

McAfee / Network Associates
        http://vil.mcafee.com/vil/vm10118.asp
            http://www.avertlabs.com/public/datafiles/valerts/vinfo/melis
            sa.asp
          +

Sophos
        http://www.sophos.com/downloads/ide/index.html#melissa
          +

Symantec
        http://www.symantec.com/avcenter/venc/data/mailissa.html
          +

Trend Micro
        http://housecall.antivirus.com/smex_housecall/technotes.html
     *

Encourage users at your site to disable macros in Microsoft Word
       Notify all of your users of the problem and encourage them to
       disable macros in Word. You may also wish to encourage users to
       disable macros in any product that contains a macro language as
       this sort of problem is not limited to Microsoft Word.
       In Word97 you can disable automatic macro execution (click
       Tools/Options/General then turn on the 'Macro virus protection'
       checkbox). In Word2000 macro execution is controlled by a security
       level variable similar to Internet Explorer (click on
       Tools/Macro/Security and choose High, Medium, or Low). In that
       case, 'High' silently ignores the VBA code, Medium prompts in the
       way Word97 does to let you enable or disable the VBA code, and
       'Low' just runs it.
       Word2000 supports Authenticode on the VB code. In the 'High'
       setting you can specify sites that you trust and code from those
       sites will run.

------------------------------

Date: Tue, 30 Mar 1999 12:01:05 -0600 (CST)
From: Jim Thomas 
Subject: File 3--Microsoft's Melissa Alert

((CuD MODERATORS' NOTE: Thanks to the readers who senver over
the folowing update on Melissa from microsoft)):

Source: http://officeupdate.microsoft.com/articles/macroalert.htm

   Microsoft Office Update Office

   HomeMember ServicesSearchShop OfficeMicrosoftSite Help

Word Macro Virus Alert

   On Friday March 26th, Microsoft was made aware of a Word macro virus
   (dubbed "Melissa") that has affected a number of users and companies.
   As with all security issues we take this very seriously, and because
   of the widespread nature of this particular virus, Microsoft is taking
   steps to proactively notify our customers to help minimize its impact.
   By taking the necessary precautions you can ensure it does not affect
   you.

Who can the virus affect?

   This virus can affect people who are using Word 97 or Word 2000 with
   Outlook 97, 98 or 2000. If you do not use this software, this
   particular virus does not affect you.

What is the "Melissa" Macro Virus?

   It is a Word 97/2000 macro virus delivered via email in an attached
   Word document. The email contains the subject line "Important Message
   From "UserName" and/or contains the message body "Here is that
   document you asked for ... don't show anyone else ;-)". If the
   attached Word document is opened and the macro virus is enabled (i.e.
   it is allowed to run), it can propagate itself by sending email with
   the infected document to a number of recipients. The virus reads the
   list of members from Outlook's Global Address Book and sends an email
   message to the first 50 recipients programmatically, one at a time.

   The name of the original infected Word document is List.doc, but this
   could be changed to any name. This virus does not appear to destroy
   data, however if enabled it can have a payload. If the current day of
   the month equals the minute value of the current time, and the
   infected document is opened this text is inserted at the current
   cursor position:

   "Twenty-two points, plus triple-word-score, plus fifty points for
   using all my letters. Game's over. I'm outta here."

Will Office 97/Office 2000 protect me from this and other macro viruses?

   Yes. Word 97 and Word 2000 will protect you from macro viruses
   including this one, provided the macro virus protection is turned on
   (this is the default setting). With the macro virus protection turned
   on, every time you receive a Word document that contains macros, a
   dialog box opens and allows you to choose whether to enable the
   macros. You should always disable macros when you are not certain of
   their purpose or functionality. By choosing to disable the macros, you
   will prevent this and any macro virus from running, rendering them
   harmless. The virus is only activated if you open the attached Word
   document and choose to enable the macros or if your macro virus
   protection settings have been turned off.

How do I ensure the Office macro virus protection is turned on?

   In Word 97
    1. On the Tools menu, click Options.
    2. On the General tab, check Macro Virus Protection.

   In Word 2000
    1. Double-click on the Tools menu, point to Macro and then choose
       Security.
    2. Select the level of security you want. High security will allow
       only macros that have been signed to open. Unsigned macros will be
       automatically disabled. Medium security always brings up the macro
       dialog protection box that allows you to disable macros if you are
       unsure of the macros.

   IMPORTANT NOTE: If you are not able to follow the steps above because
   you cannot find the menu items, it will be necessary to delete your
   normal.dot file. This is Word's global template that will
   automatically be recreated once Word is launched. After this is done,
   repeat the steps above. Please remember to back up your personal
   macros if you store them in your normal.dot.

How do I ensure I will not be Infected?

     * Ensure the Office macro virus protection is turned on as described
       above. Always choose "disable macros" when asked, if you are
       unsure of the purpose of the macro in the document. Doing so will
       still allow you to open the document and read its contents. Once
       certain the macro is safe, you can then re-open the document and
       enable the macro.
     * Run the latest anti-virus software, and scan often. This is how
       you can ensure that the macros in documents are safe. Disinfectors
       for this particular virus are already available from a number of
       anti-virus companies. Also remember to keep your anti-virus
       software up to date by installing the latest signature files for
       that company. (Most companies creating anti-virus applications
       release a new signature file each month. The following Knowledge
       Base article lists some popular vendors
       http://support.microsoft.com/support/kb/articles/Q49/5/00.asp.
     * Communicate this information to all those who could become
       infected.

What should I do if I have (or think I have) been infected by this virus?

     * Run anti-virus software containing the latest update, and scan
       your system often. Support for this particular virus is already
       available from a number of anti-virus companies. The following
       Knowledge Base article lists some popular vendors
       http://support.microsoft.com/support/kb/articles/Q49/5/00.asp.
     * Ensure your Office virus protection is turned on. It is possible
       that once the virus has been allowed to run, it can disable the
       virus protection in Word 97 or Word 2000. Remember to make sure
       Office macro virus protection is turned on by performing the steps
       listed above.

What if I have more questions on Macro Viruses?

   Visit the Microsoft anti-virus website site to learn more about macro
   viruses.

------------------------------

Date: Tue, 30 Mar 1999 14:39:21 -0600 (CST)
From: Jim Thomas 
Subject: File 4--Dangers of Universal Platforms (ZDNet Excerpt)

((CuD MODERATORS' NOTE: Melissa is generating debate about the
dangers of universal platforms and their potential vulnerability
to destructive epidemics. Peter Coffee's full article is worth
reading.))

Source: Ziff-Davis
         http://www.zdnet.com/zdnn/stories/comment/0,5859,2233128,00.htm

Source: ZDNet
http://www.zdnet.com/zdnn/stories/comment/0,5859,2233128,00.htm

   Peter Coffee - Rumors & Comment Story Head
   We shouldn't be surprised

   By Peter Coffee, PC Week Online

   March 27, 1999 4:40 PM PT

   Microsoft Office is a new breed of enterprise platform, enabling a
   high degree of inter-application communication (IAC) and permitting
   extensive customization. These are strengths in the hands of
   responsible users and disciplined programmers, but they become grave
   risks on public networks exchanging content among untrusted sources.

   The Melissa virus demonstrates Office's risks, and serves as a
   warning to enterprise IT architects and users that there's no such
   thing as a convenience without a cost.

((snip))

------------------------------

Date: Tue, 30 Mar 1999 14:41:54 -0600 (CST)
From: Jim Thomas 
Subject: File 5--Melissa Creator may be Unovered (ZDNet Excerpt)

Source: ZDNet
http://www.zdnet.com/zdnn/stories/news/0,4586,2233931,00.html

   Melissa creator may be uncovered

   Thanks to a controversial serial ID number, researchers seem to have
   found the virus writer.
   By Robert Lemos, ZDNN
   March 29, 1999 5:49 PM PT

   Two software engineers have extracted information from the Melissa
   virus that appears to lead to an account on America Online Inc. and a
   Web site that, if matched with a person, could lead law enforcement
   officials to the author of the prolific virus.

   The key is a controversial serial number, called the Global
   Unique Identifier or GUID, which is included in files created with
   Microsoft Corp.'s (Nasdaq:MSFT) Office, as well as some other
   applications, including Visual Basic. The serial number raised the
   concern of privacy advocates just a few weeks ago for its ability to
   be used to trace certain documents back to their creator.

((snip))

------------------------------

Date: Sun, 10 Jan 1999 22:51:01 CST
From: CuD Moderators 
Subject: File 6--Cu Digest Header Info (unchanged since 10 Jan, 1999)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

     SUBSCRIBE CU-DIGEST
Send the message to:   cu-digest-request@weber.ucsd.edu

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)

The mailing list is automated, so no human lies at the other end.

CuD is readily accessible from the Net:
  UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
    Web-accessible from: http://www.etext.org/CuD/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #11.20
************************************

<--">Return to the Cu Digest homepage

Page maintained by: Jim Thomas - cudigest@sun.soci.niu.edu