[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

OT: Melissa virus fix from NAI

  • From: "Baden Hughes" <bmhughes@o...>
  • To: <xml-dev@i...>
  • Date: Mon, 29 Mar 1999 01:08:51 +1000

melissa fix
There's a fix for the Melissa virus from NAI:

http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp

W97M/Melissa 3/27/99

W97M/Melissa
Melissa is a Word 97 Class Module Macro virus that can also be upconverted
to a Word 2000 Macro Virus. It was first discovered by NAI's Dr Solomon's
VirusPatrol today on the alt.sex newgroup. The virus has spread rapidly
around the world, and has infected thousands
Symptom
The virus can infect a system by being received from another infected user
via Outlook. This appears to be the most common method of infection. Users
will not know they have been infected, nor will the sender know the
document has been sent. A user may become alerted to the infected document
if the Macro Security settings are enabled. This warning will be displayed
to the user when the document is opened.
Pathology
When the infected document is opened, the virus checks for a setting in the
registry to test if the system has already been infected. 
If the system hasn't been infected, the virus creates an entry in the
registry: HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by
Kwyjibo"
(If this key exists the email process will not execute, the virus will
still infect. AVERT advises that it not be removed.)
(As a preventive message you can create this registry key to prevent the
virus from launching)
This virus also creates an Outlook object using Visual Basic instructions
and reads the list of members from Outlook Global Address Book. An email
message is created and sent to the first 50 recipients programatically all
the address books, one at a time. The message is created with the subject 
"Important Message From – <User Name>" 
The message body of text reads 
"Here is that document you asked for ... don’t show anyone else ;-)". 
The active infected document is attached and the email is sent. The most
prevalent document being seen is one called List.DOC, however this is NOT
the only document that can be sent or received. Once the system is infected
all documents that are opened are infected. As any document can be sent, a
user that receives the infected document, who hasn’t been infected, can
become infected with this document, and the process will continue.
The virus does have a payload. If the day equals the minute value, and the
infected document is opened this text is inserted at the current cursor
position: 
" Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters. Game's over. I'm outta here."
This virus checks for low security in Office2000 by checking the value from
the registry; if the value
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level" is
not null,
the virus will disable the "MACRO/SECURITY" menu option. Otherwise Word97
menu option "TOOLS/MACRO" is disabled.
Comments inside the macro virus include:
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!



xml-dev: A list for W3C XML Developers. To post, mailto:xml-dev@i...
Archived as: http://www.lists.ic.ac.uk/hypermail/xml-dev/ and on CD-ROM/ISBN 981-02-3594-1
To (un)subscribe, mailto:majordomo@i... the following message;
(un)subscribe xml-dev
To subscribe to the digests, mailto:majordomo@i... the following message;
subscribe xml-dev-digest
List coordinator, Henry Rzepa (mailto:rzepa@i...)


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.