Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 5: Macro Viruses

Melissa Worm/Virus - a Worm
Parasiting on Ms Office 97 Architectural Problems
and Ms Word Users' Ignorance

(a slightly skeptical view on Melissa worm)

By Nikolai Bezroukov

Preliminary note. v. 0.4

"It is a tale... full of sound and fury, signifying nothing."

Shakespeare (without using GUID)

 

Attention: the virus affects only users of Outlook + MS Word 97 combination on Windows 9x and NT; much less likely Word 2000 users (only in case the user reset the level of security to low or medium -- it should be high by default).

 

Disclaimer

Preliminary info.  Use at your own risk. The author is not native English speaker

Introduction

The Melissa virus (or more correctly a VBA based worm) was discovered March 26, 1999.  As usual the case was overblown by the press and AV vendors.

Melissa is not a new type of  worm -- it is just the first more or less successful VBA worm (Sharefun was the first, Happy99.exe is another, but not VBA-based).  The worm is distributed via the infected attachment -- a MS Word document that lists Internet pornography sites. Once the user opens that file, the virus digs into the user's address book and sends infected documents to the first 50 addresses. That means that in Ms Word aboriginal communities (communities without any understanding of VBA -- Visual Basic for Application -- MS Word scripting language)  the infection can spread pretty fast and that was the case -- CERT estimated that virus infected 100K computers in hundreds of organization. The figure should be treated with skepticism -- I doubt that there were so many naive users, although is in difficult to underestimate the level of ignorance of MS users ;-).

It has perfect timing to stimulate updates to MS Office 2000 (MS Word 2000 really has better security, than MS Word 97, see below) and from the point of view of any conspiracy theorist can be considered as a perfect MS marketing trick ;-). 

Most of generic information about fighting macro viruses is applicable to fighting this virus.

The virus uses the idea that was used in Sharefun virus before and is also MUA specific -- it target MS Outlook. It will try to send e-mail to first 50 entries in the Outlook address book. Later VB script  based worm Lovebug was similar to Melissa, but does not contain this restriction and managed to spread quicker and in more numbers.  BTW if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. Therefore actual number of messages can be more than 50.

Like in "make.money.fast" pyramid schemes the speed infection is proportional to the number of ignorant users in the community.

The virus can successfully propagate only on PCs with Microsoft Outlook installed as it uses Outlook specific calls; however, users with any MUA (mail user agents -- like Netscape Messenger, Lotus Notes, etc.) can read the message send by the virus.

Users of other MUA could experience the results in a form of getting a specific messages (see below). An interesting side effect of Melissa virus is that MS Word 97 GUID in the infected attachement was used to track the virus author (see  The Virus Author Manhunt)

There is a nonworking copycat variant of Melissa, called Papa, that was adapted to Excel see CNN - Copycat virus follows quickly on Melissa's heels - March 29 1999, but that does not change much in the situation. See also Excel clones of Melissa.

Variants: there are several of them, but as usual none is as successful as the original word. One variant, that appeared March 30, 1999 (Melissa.A) - leaves the subject line blank. Another, called ``Mad Cow Joke'' works like Melissa, sending itself to 20 people in the victim's e-mail address book. Other names include Syndicate,

Detection

Like Cap.A and some other macro viruses the virus try to disable the possibility to look into the list of macros via Tools/Macros. That makes detection easy -- if you cannot get the list, you are probably in trouble -- but for Outlook users in this particular case the worm probably already managed to send 50 messages using addresses in the user address book :-(.  So detection in this case can be a little bit late and we need prevention.

The e-mail message send by the virus is also easy to detect. It usually contains the following header

Subject: Important Message From <name>

Where <name> is the name of the user sending the message. The body of the message consists of two sections.

When a user opens an infected .doc file with Microsoft Word97 or if security level in Word 2000 is set to medium or low, the macro virus is immediately executed, if user will ignore the warning from MS Word that document contains macros of customarizations.

Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future. It also disable Tools/Macro list. 

Don't Overreact

If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not targeting you. We encourage you to contact helpdesk. Remember (satirical) stages of dealing with virus outbreak in a large organization are (sorry this is a non-perfect translation):

and after the incident is over:

Inoculating Yourself Against the Virus

The best way is to create the registry key that virus checks before sending e-mails:

"HKEY_Current_User\Software\Microsoft\Office\Melissa?" should be set to the value

"... by Kwyjibo".

Only if that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every MAPI address book readable by the user executing the macro.

Setting the key can be done from VBA by running command

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"

Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session.

If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document.

Protection of the Normal.dot template

After the user opens an infected attachment the virus in macro viruses classical style infects the Normal.dot template file. So one can try to protect Normal.dot using methods outlined elsewhere. But this is probably overkill.

Please keep in mind that unpatched versions of Word97 trust macros in templates (see http://www.microsoft.com/security/bulletins/ms99-002.asp). You need to apply the patch recommended to prevent this. This is a nice time to do this.

Corruption of documents

Very rare. Actually, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message:

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points,

plus triple-word-score, plus fifty points for using all my letters.

Game's over. I'm outta here."

The message of course is: 

"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

Blocking messages on MTA

For popular MTS (Mail Transfer Agents -- like Lotus Notes Server, Sendmail, Microsoft Exchange, etc.) solutions are already available that will filter virus at the point of entry. This is a recommended solution for large organizations. Even simple grep filter that checks for  the word "Kwyjibo" would be very useful and not difficult to implement. See the following links for details (the are from CERT advisory, I still do not have a link for Lotus Notes, but probably it exists as well):

Disinfections

The latest version of free F-macro   utility will disinfect the virus in the Normal.dot template, but not in attachments.  There is also free virus detector from ZDnet -- ZDNet's ByeMelissa -- it's a MS Word document that checks for the virus macro.

Other AV products can be used as well. In any case the latest version should be used.

Prevention. Should We Avoid Microsoft Products ?

The irresistible question is: "How much blame does Microsoft deserve for the mess?"  My impression is that Microsoft was and is extremely virus-friendly corporation. When Word 7.0 was launched, macro viruses were already a serious issue, but Microsoft failed to include the possibility of using Authenticode although it was already available. Instead it included a hidden disinfector and a primitive macro warning feature. The latter, although useful, looks like a simple hack written in order to get rid of unimportant subject.  So MS Word remained an extremely user friendly environment for virus writers. Obviously, there aren't sufficient security controls for the macro language. But this not limited to viruses -- Microsoft always try took the profit and left the problems to somebody else.  So FBI should probably be better off going after Microsoft ;-) They made the whole mess possible with their total disregard for security.

Microsoft P.R. must be doing exceptionally well, for not many people seem to be pointing the finger at Microsoft. This virus was inevitable, it was bound to come up, just like the Internet Worm of years ago. The timing had to be perfect for a commonly used application with little security measures to come about, and boom it becomes a national epidemic. And the culprit is Microsoft arrogance.

Of course Microsoft is guilty as there are simple security options that can prevent worm from sending addresses. And its important to implement them as Microsoft's Office suite of productivity software becomes more ubiquitous.

But users or more correctly user ignorance is also part of the problem. Programs with scriptable engines and API for e-mail is often kind of overkill and are always a big security risk. Shouldn't you use something simpler like famous KISS principle suggests ;-)

Anyway, some anti-Microsoft measures may be appropriate ;-). The simplest step is to deinstall your Outlook and switch from non-portable Ms Word to more portable (and available for Linux) WordPerfect (which is also stronger in its support of HTML and XML) or Star Office.

A little bit less radical approach would be just to associate extension .DOC with WordPad, not with MS Word.  And this is really simple to do. WordPad does not execute any macros. And BTW it's a much faster way to read attachments.  Of course this will not solve all your problems, but at least its a step in the right direction. Anyway, if somebody is unsatisfied with Outlook it's a good time to switch.

As for on-the-fly protection with some AV tool -- it can help, but RTF is probably safer as in my experience on-the-fly AV protection creates more problems than it solves. Old good RTF is immune to Melissa tricks (but only for those that understand what RTF is -- files with extension RTF not necessary contain documents in the RTF format ;-).  See doc2rtf  for additional information.

Patching MS Word holes

Of course, Microsoft Office 97 design flaws are the culprit of all this troubles ;-). So upgrade to the Word2000 can improve the dismal level of security that was a characteristic mark of Ms Word till version 9 (aka MS Word 2000).

Some primitive (and definitly insufficient) help is available in Word97 -- you can enable a (pretty stupid -- there is no possibility to look into the list of macros) warning (click Tools/Options/General then turn on the 'Macro virus protection' checkbox) and if the user see one he/she need to react accordingly. Actually the warning is enabled by default, so if it is disabled it's a virus :-).

In Word2000 situation is better. If you enable High security setting MS Word 2000 will ignore VBA macros,  which gives the user a decent level of protection -- only signed macros from trusted sources will be executed. So those, who for some reason are running Word2000 beta are actually in much better shape that Word97 users:

BTW the virus tries to "correct" this situation if a user give it a chance to run:

If System.PrivateProfileString("",

"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",

"Level") <> "" Then

CommandBars("Macro").Controls("Security...").Enabled = False

System.PrivateProfileString("",

"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",

"Level") = 1&

... ... ...

The Virus Author Manhunt

A serial number, called the Global Unique Identifier (GUID) is included in files created with  Office 97, as well as some other MS applications, including Visual Basic. The serial number raised the concern of privacy advocates just a few weeks ago for its ability to be used to trace certain documents back to their creator.

It's funny how everyone was complaining about the Intel PIII serial number, while Melissa has taught us that we were capable of being tracked all along. Why is there not an equal outrage regarding the Microsoft GUID? I understand that it only really applies to those with network cards, but these days that's about anyone in the work force. It remains to be seen how Microsoft will addressed the privacy concern involved...

As was reported by ZDNET (Melissa trail leads to 'ex' virus writer ) using GIUD Richard M. Smith, president of software tools developer Phar Lap Software Inc., and Fredrik Bjorck, a Swedish PhD student at Stockholm University's Department of Computer and System Sciences, have identified several files with the same GUID as infected attachment in Melissa. This could be a costly mistake for the virus writer who probably "should know better" about GUID  as it was widely published on the net. The FBI is looking to prosecute the writer with a fine of $250,000 and a sentence of up to 10 years in prison, according to the statement made by Michael Vatis, director of the National Infrastructure Protection Center ( http://www.latimes.com/CNS_DAYS/990330/t000028246.html )

The consequences of Melissa release for a lot of underground sites are catastrophic. At least a dozen of underground sites go down as a result of FBI efforts. Looks like another "The Hacker Crackdown"  Guilty or not these guys are never going to see their computer equipment ever again now that the FBI has it ;-(.

See links below for more information.

Conclusion

Melissa's cost to companies is more in terms of searching and eradicating the virus rather than repairing damaged systems. Also in a large corporation most of installed AV software is usually far from being up to date -- it's more like magical ritual, than actual protection -- so Melissa gave chance for Security administrators (often the guys, who cannot tell the difference between VB and VBA ;-) to wake up and smell coffee. A lot of large companies now try to make sure that installed AV software is up to date to catch it -- not completely wrong, but still limited approach as we discussed above (I advocate changing of environment with upgrade to MS Word to Word 2000 as much more efficient way to protect the system). Many decided to go for additional screening of inbound E-mail to look for telltale features. Also not necessary bad approach unless that will affect stability of the e-mail gateway.

In an case Melissa can help companies to put procedures in place that let them respond to virus threats quickly, as well as educate their users on to be alert to potential viruses.

Melissa was a good test for heuristic macro virus detection capabilities of existing AV software and proved again that no amount of virus protection will make a network 100% secure.

This is neither the first not the last macro virus, that we need to deal with. Please do not panic. It's more boring that dangerous. Melissa is the first successful macro worm, so it is able to propagate far more quickly than earlier macro viruses if the user has Outlook+MS Word 97 combination. That's basically it.

The good thing about the virus that it will definitly harm Microsoft's image (another proof that Microsoft is a very virus-friendly company; it's probably difficult to overcome DOS heritage of blatant neglect to security issues ;-) and will improve Linux image as an alternative OS.  As for viruses, Linux is definitly more secure and can be considered as an ultimate AV package for the Microsoft OSes :-).

Anyway, as relatively benign virus Melissa is a low-cost way of gaining user awareness that MS Office 97 (and all previous version of MS Office) is one big security hole (and raising AV vendors profits -- as a (not-very-successful ;) patchers of those holes :-). If similar mechanism was used by a more malicious attacker (for example for sending files in the most recently used list or if the virus would modify/destroy recent documents or other files) or written by a better programmer (usually virus authors are average programmers at best, often the are simply horrible programmers -- good for nothing else ;-) it would be much worrisome. It makes sense for everybody to use this opportunity to establish three capabilities, unless you have not already done so:

Webliography

Manhunt for Melissa author (probably the most interesting part of the Melissa story -- the suspect was arrested on April 1, 1999 -- a symbolic date)

March 27

March 28

March 29 and after (not much interesting happened)...

Excel clones of Melissa -- not very dangerous the number of Excel spreadsheets with sever orders of magnitude less than the number of MS Word documents.

Should Microsoft be blamed?

MS Office 2000

Network Associates

Symantec

If you would report any instance of this activity you can use a decent Incident Reporting Guidelines from CERT available at:



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017