Publications Catalog |
|
CERT® Advisory CA-1999-04 Melissa Macro VirusOriginal issue date: March 27, 1999Last revised: March 31, 1999 A complete revision history is at the end of this file. Systems Affected
OverviewAt approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receiving reports of a Microsoft Word 97 and Word 2000 macro virus which is propagating via email attachments. The number and variety of reports we have received indicate that this is a widespread attack affecting a variety of sites. Our analysis of this macro virus indicates that human action (in the form of a user opening an infected Word document) is required for this virus to propagate. It is possible that under some mailer configurations, a user might automatically open an infected document received in the form of an email attachment. This macro virus is not known to exploit any new vulnerabilities. While the primary transport mechanism of this virus is via email, any way of transferring files can also propagate the virus. Anti-virus software vendors have called this macro virus the Melissa macro or W97M_Melissa virus. In addition to this advisory, please see the Melissa Virus FAQ (Frequently Asked Questions) document available at:
I. DescriptionThe Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most frequently been reported to contain the following Subject header
Subject: Important Message From <name> Where <name> is the full name of the user sending the message. The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text.
Here is that document you asked for ... don't show anyone else ;-) The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim. When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled. Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future. The macro then checks to see if the registry key
has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message. This virus can not send mail on systems running MacOS; however, the virus can be stored on MacOS. Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document. The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in templates the virus may execute without warning. For more information please see:
Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for Applications) code associated with the "document.open" method. You can see the code by going into the Visual Basic editor. If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not necessarily targeting you. We encourage you to contact any users from which you have received such a message. Also, we are interested in understanding the scope of this activity; therefore, we would appreciate if you would report any instance of this activity to us according to our Incident Reporting Guidelines document available at:
II. Impact
III. Solutions
Additional Information
AcknowledgementsWe would like to thank Jimmy Kuo of Network Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, Jason Garms and Karan Khanna of Microsoft, Ned Freed of Innosoft, and John Hardin for providing information used in this advisory. Additionally we would like to thank the many sites who reported this activity. This document is available from: www.cert.org/advisories/CA-1999-04.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information. Getting security informationCERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY Conditions for use, disclaimers, and sponsorship information
Copyright 1999 Carnegie Mellon University. Revision History March 28, 1999: Changed the reference to the sendmail patches from ftp.cert.org to www.sendmail.com. Added information for Innosoft, Sophos, and John Hardin's procmail filter kit. March 29, 1999: Formatting changes March 29, 1999: Added information for Computer Associates March 29, 1999: Fixed a broken link March 29, 1999: Added a link to information at Microsoft, added a link to information about Happy99.exe, added information about MacOS, and clairfied that only MS Outlook MAPI address books are involved. March 31, 1999: Added links to the Melissa FAQ |