[Previous Months][Date Index][Thread Index][Join - Register][Login]
[Message Prev][Message Next][Thread Prev][Thread Next]
[IPm] CERT Advisory CA-99.04 - Melissa Macro VIRUS
To: members of the Insulin Pumpers mail lists. We have not yet
detected this virus on our system, but it is only a matter of time.
There is a rapidly spreading macro virus that affects WINDOZE systems
DO NOT OPEN UNKNOWN ATTACHEMENTS
The CERT advisory follows.
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-04-Melissa-Macro-Virus
Original issue date: Saturday March 27 1999
Last Revised: Saturday March 27, 1999
* Machines with Microsoft Word 97 or Word 2000
* Any mail handling system could experience performance problems
a denial of service as a result of the propagation of this
At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
receiving reports of a Microsoft Word 97 and Word 2000 macro virus
which is propagating via email attachments. The number and variety
of reports we have received indicate that this is a widespread
attack affecting a variety of sites.
Our analysis of this macro virus indicates that human action (in
the form of a user opening an infected Word document) is required
for this virus to propagate. It is possible that under some mailer
configurations, a user might automatically open an infected
document received in the form of an email attachment. This macro
virus is not known to exploit any new vulnerabilities. While the
primary transport mechanism of this virus is via email, any way of
transferring files can also propagate the virus.
Anti-virus software vendors have called this macro virus the
Melissa macro or W97M_Melissa virus.
The Melissa macro virus propagates in the form of an email message
containing an infected Word document as an attachment. The
transport message has most frequently been reported to contain the
following Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message is a multipart MIME message containing two
sections. The first section of the message (Content-Type:
text/plain) contains the following text.
Here is that document you asked for ... don't show anyone else
The next section (Content-Type: application/msword) was initially
reported to be a document called "list.doc". This document contains
references to pornographic web sites. As this macro virus spreads
we are likely to see documents with other names. In fact, under
certain conditions the virus may generate attachments with
documents created by the victim.
When a user opens an infected .doc file with Microsoft Word97 or
Word2000, the macro virus is immediately executed if macros are
Upon execution, the virus first lowers the macro security settings
to permit all macros to run when documents are opened in the
future. Therefore, the user will not be notified when the virus is
executed in the future.
The macro then checks to see if the registry key
has a value of "... by Kwyjibo". If that registry key does not
exist or does not have a value of "... by Kwyjibo", the virus
proceeds to propagate itself by sending an email message in the
format described above to the first 50 entries in every MAPI
address book readable by the user executing the macro. Keep in mind
that if any of these email addresses are mailing lists, the message
will be delivered to everyone on the mailing lists. In order to
successfully propagate, the affected machine must have Microsoft
Outlook installed; however, Outlook does not need to be the mailer
used to read the message.
Next, the macro virus sets the value of the registry key to "... by
Kwyjibo". Setting this registry key causes the virus to only
propagate once per session. If the registry key does not persist
through sessions, the virus will propagate as described above once
per every session when a user opens an infected document. If the
registry key persists through sessions, the virus will no longer
attempt to propagate even if the affected user opens an infected
The macro then infects the Normal.dot template file. By default,
all Word documents utilize the Normal.dot template; thus, any newly
created Word document will be infected. Because unpatched versions
of Word97 may trust macros in templates the virus may execute
without warning. For more information please see:
Finally, if the minute of the hour matches the day of the month at
this point, the macro inserts into the current document the message
"Twenty-two points, plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta here."
Note that if you open an infected document with macros disabled and
look at the list of macros in this document, neither Word97 nor
Word2000 list the macro. The code is actually VBA (Visual Basic for
Applications) code associated with the "document.open" method. You
can see the code by going into the Visual Basic editor.
If you receive one of these messages, keep in mind that the message
came from someone who is affected by this virus and they are not
necessarily targeting you. We encourage you to contact any users
from which you have received such a message. Also, we are
interested in understanding the scope of this activity; therefore,
we would appreciate if you would report any instance of this
activity to us according to our Incident Reporting Guidelines
document available at:
* Users who open an infected document in Word97 or Word2000 with
macros enabled will infect the Normal.dot template causing any
documents referencing this template to be infected with this
macro virus. If the infected document is opened by another
user, the document, including the macro virus, will propagate.
Note that this could cause the user's document to be propagated
instead of the original document, and thereby leak sensitive
* Indirectly, this virus could cause a denial of service on mail
servers. Many large sites have reported performance problems
with their mail servers as a result of the propagation of this
* Block messages with the signature of this virus at your mail
Nick Christenson of sendmail.com provided information about
configuring sendmail to filter out messages that may contain
the Melissa virus. This information is available from the
* Utilize virus scanners
Most virus scanning tools will detect and clean macro viruses.
In order to detect and clean current viruses you must keep your
scanning tools up to date with the latest definition files.
+ McAfee / Network Associates
+ Trend Micro
* Encourage users at your site to disable macros in Microsoft
Notify all of your users of the problem and encourage them to
disable macros in Word. You may also wish to encourage users to
disable macros in any product that contains a macro language as
this sort of problem is not limited to Microsoft Word.
In Word97 you can disable automatic macro execution (click
Tools/Options/General then turn on the 'Macro virus protection'
checkbox). In Word2000 macro execution is controlled by a
security level variable similar to Internet Explorer (click on
Tools/Macro/Security and choose High, Medium, or Low). In that
case, 'High' silently ignores the VBA code, Medium prompts in
the way Word97 does to let you enable or disable the VBA code,
and 'Low' just runs it.
Word2000 supports Authenticode on the VB code. In the 'High'
setting you can specify sites that you trust and code from
those sites will run.
* General protection from Word Macro Viruses
For information about macro viruses in general, we encourage
you to review the document "Free Macro AntiVirus Techniques" by
Chengi Jimmy Kuo which is available at.
We would like to thank Jimmy Kuo of Network Associates, Eric Allman
and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro,
and Jason Garms and Karan Khanna of Microsoft for providing
information used in this advisory.
Additionally we would like to thank the many sites who reported
This document is available from:
CERT/CC Contact Information
Email: email @ redacted
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please
call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to email @ redacted and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis.
Carnegie Mellon University makes no warranties of any kind, either
expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Insulin-Pumpers website http://www.insulin-pumpers.org/
For subscribe / unsubscribe information,
send the next two lines in a message
to the e-mail address: email @ redacted