-
Melissa is a Microsoft Word macro virus.
-
Through macros, the virus alters the Microsoft Outlook email program so that the virus gets sent to the first 50 people in your address book
-
It does not corrupt any data on your hard drive or make your computer crash. It just changes some Word settings and sends itself to the people you don't want to infect.
-
Melissa Virus Infection
-
Melissa arrives as an email attachment.
-
The subject of the message containing the virus will read: "Important message from "followed by the name of the person whose email account it was sent from.
-
The body of the message reads: Here's the document you asked for...don't show anyone else ;-) Double clicking the attached Word document (typically named LIST.DOC) will infect your machine.
-
 |
Melissa is a standard Word 97 Class-style infector. The first time an infected document is opened on a given machine, the virus receives control via the standard Document_Open () macro.
To begin, it attempts to deactivate macro security. It checks for the value Level in the registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\ Word\Security. If this value is found, Melissa assumes that it is running inside Word 2000. Subsequently, it disables the Security option on the Macro menu (this causes that option to appear greyed out on the menu), and then resets the Level value mentioned above to 1.
If the Level value is not found, Melissa assumes that it is running under Word 97. It greys out the Macro option on the Tools menu, disables format conversion warnings, Word's own virus protection, and prompts to save the global template. Instead of setting these options to False or 0, it sets them to (1 - 1) in an attempt to fool macro heuristics. Following this initial work, Melissa moves on to trigger the payload.
Infection
The virus copies itself from the source document to the destination one using the InsertLines method on a CodeModule object. It takes care to change the first line of the macro accordingly. This is dependent upon whether it is copying itself into the global template from a document, or into a document from the global template. This is necessary because the macro has two different names - in a document, it is called Document_Open(), and in the global template, it is called Document_Close().
Melissa also has a little noticed side effect - it will overwrite the first item in the collection of documents and global templates which it infects. For most documents, this will not be an issue, of course - however, for global templates; it can be a problem.
| Threat | Payloads Melissa has two payloads. Whether or not the virus has had to copy its body from one place to another, at the end of its execution it checks the time. If the minutes of the hour are the same as the day of the month (for example, 11.15 on 15 December, or 10.04 on 4 July), it will insert the following text into the active document, wherever the cursor happens to be:
|
At this point in the virus, the following text appears in comments:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000
Virus? You Decide!
Word -> Email | Word 97 <-> Word 2000 ...
it's a new age!
Kwyjibo and the text that the virus inserts into the current document derive from an episode of The Simpsons called 'Bart the Genius'. The family is playing Scrabble, and Bart says: 'K-W-Y-JI-B-0... Kwyjibo. 22 points... plus 50 points for using all my letters! Game's over, I'm outta here...'. When asked, he defines Kwyjibo as 'a big, dumb, balding, North American ape with no chin...'.
That Other Payload
Immediately after the virus attempts to disable Word's security features, it uses the CreateObject () function to initialize an instance of Microsoft Outlook. The virus installs 'On Error Resume Next' handler, so that if and when all the commands that follow fail, it will blunder on regardless, without telling the user that anything is wrong.
Once Melissa has obtained a running instance of Outlook, it asks it for a MAPI (Messaging API) namespace. Following this, it checks for the existence of a value 'Melissa?' in the registry key: HKEY_CURRENT_USER\Software\ Microsoft\Office.
If this value is set to '... by Kwyjibo', then it skips the next set of instructions - after the payload has been executed, the virus will set that value to that string, preventing the payload from being executed more than once. Even a system with a write-protected registry would allow the payload to execute each and every time an infected document is opened. In this case, security works against the prepared.
Then Melissa logs on to Outlook as the default user on that machine. In many environments, Outlook attempts to connect to the server using the current network username and password, which would obviously work well in Exchange-based environments.
Melissa now iterates across all the 'members' of the MAPI session's AddressLists 'collection' - MAPI (and Outlook) allowing the user to have multiple address books in which to store names and email addresses of both individuals and groups of individuals for easy access. Once again, in Exchange-based environments, one or more of these address books can be held on the server - these address books are shared between multiple users.
For each list in the collection, Melissa constructs a message to the first fifty entries, with the subject line 'Important Message From
Melissa's Initial Spread
Melissa was distributed on Friday 26 March via a posting to the Usenet group ALT.SEX, in an infected document containing what was claimed to be a list of passwords for porn sites (LIST.DOC, contained within LIST.ZIP).
The initial impact of Melissa was considerable - news stories quoted Microsoft officials as saying that they had been forced to shut down their outbound and inbound email servers. During the weekend of 27/28 March, only two of Microsoft's five inbound mail servers were in operation. One large organization reports that between four hundred thousand and half a million email messages were generated by the virus in under three hours - after which time they also shut down their servers.
Posts
0 comments:
Post a Comment