J-037A: W97M.Melissa Word Macro Virus

PROBLEM:       A new Word 97 macro virus named W97M.Melissa has been detected 
               at multiple DOE sites and is known to be spreading widely. In 
               addition to infecting your copy of Microsoft Word, the virus 
               uses Microsoft Outlook 98 or Outlook 2000 to e-mail the 
               infected document to the first 50 people from each of your 
               Outlook address books. 
PLATFORM:      Windows 95 or Windows NT running Microsoft Word 97 (version 8) 
               or Word 2000 (version 9) and Microsoft Outlook 98 or Outlook 
               2000. Word 98 on the Macintosh can be infected with this virus
               and will infect other documents but will not automatically send 
               the infected documents to other users. Systems with Word and
               Outlook Express, Outlook 97, or other mail readers cannot 
               automatically send the virus infected document via e-mail but 
               Word on these systems will be infected and will infect other 
               Word documents.
DAMAGE:        It overwrites the first macro in open documents and in the 
               normal.dot template with the macro virus code. It turns off 
               macro detection in Word. It sends copies of the infected 
               document to up to 50 people from each of your Outlook address 
               books. 
SOLUTION:      Use an updated antivirus product. Some vendors have a solution 
               site available but in many cases you must go to the vendors web  
               to get it. Do not depend on the automatic or live update 
               feature of an antivirus package to get the detector for this 
               virus. Additional precautions are to password protect the 
               normal.dot file, turn on macro virus detection in Word, and DO 
               NOT OPEN attachments to mail messages with the subject 
               "Important Message From " and the contents "Here is that 
               document you asked for ... don't show anyone else ;-)" without 
               checking with the sender. Alert your computer security officers 
               if you receive such messages. 
VULNERABILITY  Risk of infection is high. This virus is spreading widely 
ASSESSMENT:    within and without of the DOE complex. The risk of damage to 
               your system is low because most users do not have macros in 
               files and would be alerted by Word's macro detector. The risk 
               of lost productivity and lost mail messages is high as mail 
               servers may have to be shut down and purged of infected mail 
               messages. 

CIAC has critical information about the W97M.Melissa Word Macro Virus
[Original bulletin 3/27/99]
[Revision a 3/31/99]

The W97M.Melissa Word macro virus has been seen within the DOE complex. This 
macro virus uses two methods of infection. First, it infects the Word 97 (or 
2000) program (normal.dot template) and all subsequent documents edited with 
Word. Second, it uses the Outlook 98 (or 2000) e-mail program to mail copies of 
the infected document to the first 50 people in each of your Outlook address 
books. If Outlook 98 or Outlook 2000 is not installed, the second method of 
infection does not work but the first method still does.

The virus attaches to Word objects in Word 97 and Word 2000. Because of
this method of infection, this virus will not infect older versions of  
Microsoft Word. When an infected document is opened, the virus checks to  
see if Word 97 or Word 2000 is installed, disables the Macro toolbar, and then 
disables the following Word 97 options (different options in Word 2000):

  Confirm conversions at open.
  Macro virus protection.
  Prompt to save Normal template.

Disabling these options makes it difficult to detect the virus in action. The 
virus next checks the value of the private registry string:

  HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? 

If that string is not equal to "... by Kwyjibo" the virus sends copies of the 
infected document to the first 50 people in each of your Outlook address 
books and then sets the registry key so it does not do this again. It sends 
copies of the infected document to others by opening a connection to Microsoft
Outlook and creating an e-mail message with the subject:

  Important Message From <username>

where <username> is replaced with the current Word user's name (Tools, Options
command, User Information tab). The body of the message contains the following
text: 

  Here is that document you asked for ... don't show anyone else ;-)

The virus then inserts the first 50 users from your first Outlook address book, 
attaches the infected document and sends the message. It performs this process 
again for each of the address books you have defined in Outlook.

After sending itself to the people in your address books, the virus
checks to see if it is running on a document or the Normal.dot template. If  
it is running on a document, it infects the Normal.dot template with a
Document_Close macro that runs whenever a document is closed. If it is  
running on the Normal.dot template, it infects the active document with a 
Document_Open macro that runs whenever a document is opened. After the 
Normal.dot template is infected, the virus infects every document you work 
on as soon as you close them. If you share these documents with anyone, you 
will spread the virus.

Finally, it has a small payload. If the minute of the hour equals the day of the 
month, the virus inserts the following message at the current location in the 
active document.

  Twenty-two points, plus triple-word-score, plus fifty points for using 
  all my letters.  Game's over.  I'm outta here.

Note: we have been informed that the word Kwyjibo and the text inserted into the 
document are from a Bart Simpson episode where Bart wins a Scrabble game with 
the word Kwyjibo.

Detecting The Virus
===================

Most antivirus vendors have a detection and cleaning capability for this 
virus; however, you must go to the vendors web site to get the scanner 
updates. Scanners with automatic or live update features do not yet get the  
update required to find and clean this virus. While we expect the detection  
strings to be in the automatic updates in the near future, for the next
week or two you should get the scanner directly from your vendor's web site.
We have verified that the Norton Antivirus updater obtained from the 
Symantec web site (http://www.symantec.com/techsupp/custom/mailissa.html)
does detect the virus, the current live update does not. We have reliable 
information that McAfee (http://vil.mcafee.com/vil/vm10120.asp), and 
Trend Micro (http://housecall.antivirus.com/smex_housecall/technotes.html)  
also have detection capabilities.

If you receive an e-mail with the following subject and body, DO NOT OPEN the 
attachment. 

Subject: 
  Important Message From <username>
Body: 
  Here is that document you asked for ... don't show anyone else ;-)

Make sure the sender is someone you know and then ask them if they really 
sent you the attachment before opening it. If they did not send it, do not 
open the attachment and contact your computer security manager. The most 
common name for the attached file is list1.doc but that name can change.

If the following text appears in a document without your putting it there, 
your normal.dot template is infected and your Word program is infecting all 
documents when you close them.

  Twenty-two points, plus triple-word-score, plus fifty points for using 
  all my letters.  Game's over.  I'm outta here.


Another option to see if a system has been infected is to use Regedit and 
search for the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?

If that key exists and has the value "... by Kwyjibo" the system has been 
infected at some time. Note that the infection may have been removed without 
deleting the key. This key can be deleted, but does no damage if left alone.

Protecting A System
===================

The first step in protecting Word from any macro virus is to have a current 
antivirus package running on your system. Be sure to update it at least once a 
month. Many of the newer antivirus scanners have the capability to automatically 
update themselves every couple of weeks. 

The next step is to insure that Word has been patched with the Word 97 Template 
vulnerability patch. The patch is available as a download from the Microsoft web 
site: (http://www.microsoft.com/security/bulletins/ms99-002.asp).

The third step is to password protect the normal.dot global template file.

The fourth step is to set the following options in the Word program. Most 
important is the Macro virus protection check box that causes Word to display a 
dialog box whenever you open a document that contains macros, giving you the 
option to enable or disable them.
  Confirm conversions at open.
  Macro virus protection.
  Prompt to save Normal template.

The last step is to NEVER enable Macros in a document unless you know where they 
came from and know what they do.


Password Protecting The Normal.dot gloal template file
------------------------------------------------------

To password protect the Normal.dot file in Word 97, perform these steps:

1. Start Word.
2. Choose the Tools, Macro, Visual Basic Editor command.
3. In the Project window of the Visual Basic Editor, click on Normal.
4. Choose the Tools, Normal Properties command, Protection tab.
5. Check the Lock Project for Viewing check box and type in a password twice. 
6. Close the dialog box, close the Visual Basic editor.
7. Quit Word.

The next time you start Word, the normal.dot template will be protected. 

WARNING: If you ever have to type in the password to make changes to the 
normal.dot file be aware that the file remains unprotected until you quit
Word and restart it. 

Turning On Macro Virus Protection and Other Options
-----------------------------------------------------

Some simple macro virus protection is built into Word 97. It does not detect 
specific macro viruses but only informs you if macros exist on a document you
are trying to open. Macros detected by Macro Virus Protection are not 
necessarily a virus. However, if you are alerted to a macro attached to a 
document you should be extremely wary because most people do not have macros
attached to their documents. You should never enable macros in a document unless 
you know where they came from and what they do.

Other options to set are: 

  Confirm conversions at open. This makes Word display a dialog box if 
    it is converting a document from one format to another.

  Prompt to save Normal template. This makes Word display a dialog box 
    asking you to confirm changes to the Normal.dot template. Most 
    macro viruses hide in Normal.dot so this lets you know that there 
    has been a change that you may want to prevent. Changes also occur 
    when you change the default font or one of the built-in styles.


To turn on macro virus protection and these other options, perform these
steps:

1. Start Word.
2. Choose the Tools, Options command, General tab.
3. Check the Macro Virus Protection check box.
4. Check the Confirm conversions at open check box.
5. Choose the Save tab.
6. Check the Prompt to save Normal template check box.
4. Close the dialog box.

Whenever you open a document that contains macros, the macro virus protection 
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled, open 
the document with the macros disabled, or cancel the open operation. You should  
only open a document with macros enabled if you are expecting there to be 
macros on that document and you know what they are supposed to do.

An alternate protection scheme is to place the following macro on your 
normal.dot template in a module named AutoExec

Sub Main()
'
' AutoExec.Main Macro
' Macro created 03/30/99 by William J. Orvis
'
    Options.VirusProtection = True
    Options.ConfirmConversions = True
    Options.SaveNormalPrompt = True
    MsgBox "Security Options Set"
End Sub 

This simple macro sets the three options and displays a dialog box that says 
"Security Options Set" whenever you start Word. If you or a virus has disabled 
virus protections in Word, this macro will automatically reset them. 
To install this macro, perform these steps:

1. Copy the macro above from the Sub to the End Sub statements onto the 
   clipboard.
2. Start Word
3. Choose the Tools, Macro, Visual Basic Editor command.
4. In the Project window, double click on the Normal template. You will have to 
   type your password if you have already password protected the Normal.dot 
   template.
5. Choose the Insert Module command.
6. Select the newly created module (Module1) and in the Properties window, 
   change the name to AutoExec.
7. Double click on the AutoExec module to open a code window and paste the macro 
   into the window.
8. Close the Visual Basic editor and close Word. 
9. Start Word and it should display a dialog box containing the text "Security 
   Options Set". 

Note: It would be a good idea to change the text displayed in the dialog box to 
prevent a future virus from mimicking this macro. By changing the text, only you 
will know what is supposed to be displayed in the dialog box. The text is set in 
the statement starting with MsgBox.

Filtering the Virus Containing Message With a Mail Server
=========================================================

If a site has been infected you may need to block the virus infected mail 
messages with your mail servers. For systems that use sendmail, the following 
filter was written by Scott Hutton (Lead Security Engineer, Information 
Technology Security Office) of Indiana University. As Scott mentions, this 
filter blocks all messages with the text "Important Message From" in the subject 
line, which may block messages that do not contain the virus. Use this filter at 
your own discretion. 

===== start included text ======
We blocked this on our mail relays through the following additions to
the sendmail.cf:

  HSubject: $>CheckSubject
  SCheckSubject
  RImportant Message From $+    $#error $: 553 Subject Error
  R$*                           $@ OK

Don't forget that there are tabs before $#error and $@ OK.  This will
block any message where the subject begins with "Important Message
>From ...", which may be too rash of an action at your site.

===== end included text ======

Another filter is available directly from Sendmail.com 
(http://www.sendmail.com/blockmelissa.html) 

Users of the Microsoft Exchange mailserver cannot use filters of this type. 
However, several vendors have indicated that they have virus scanners that 
operate on the Exchange server that would do the job. Check with your antivirus 
vendor to see if they have such a product.

_____________________________________________________________________________

Thanks to Scott Hutton, CERT and Nick Christenson for the sendmail filters.

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org