MELISSA VIRUS |
|
-
- The following info has been collected from various
sources and may not credit the authors.
- Please email us if you authored information here and
would like it removed or acknowledged.
Melissa Messenger ?
Late on 26 March a Word 97 macro virus ravaged corporate email systems in the US. Named
W97M/Melissa.A, this class-infector has a payload designed to ensure its rapid spread. On first infection,
Melissa attempts to abstract 50 email addresses from each address book visible to Microsoft Outlook and emails a copy of the
current infected document to those addresses as attachments. For the originally identified Melissa variant (Melissa.A) the
emails are formatted as follows:
From:
(name of infected user)
Subject:
Important Message From (name of infected
user)
To:
(50 names from alias list)
Body text:
Here is that document you asked for ...
don't show anyoneelse
Attachment:
LIST.DOC
The virus activates according to the time and day of the month. When the minutes of the
hour equal the day of the month (for
example at 5.12pm on the 12th of April) it is activated and the payload delivered. Melissa
can also spread to other documents
on the infected machine, which could then be sent out as attachments to 50 addresses
abstracted from the Outlook address
book, posing a real threat to data security.
A full analysis of the Melissa virus will appear in next month's issue of Virus Bulletin.
Four "copycat" variants of Melissa have also been identified this week. Almost
all the code for each has been copied from the
original virus, with slight adaptations to the payload. Details concerning the emails that
are sent upon activation of the virus are
as follows:
W97M/Melissa.B
Subject:
Trust No one
To:
First address in all the address books available to
Outlook.
Body text:
Be careful what you open, it could be a virus.
Attachment:
A copy of the infected document which activated the
virus
W97M/Melissa.C
Subject:
Fun and games from username
To:
The first 69 addresses in all the address books
available to Outlook.
Body text:
Hi! Check out this neat doc I found on the internet!
Attachment:
A copy of the infect document which activated the
virus
W97M/Melissa.D
Subject:
Mad Cow Joke.
To:
The first 20 addresses in all the address books
available to Outlook.
Body text:
Beware of the spread of the Madcow disease.
Attachment:
A copy of the infect document which activated the
virus
After much frantic work by the virus researchers over the past week, detection and
disinfection of all these variants has been
enabled. To obtain updates for your antivirus software (if you have not already done so,
consult the website of your antivirus
product vendor.
W97M/Melissa.A / webmaster@virusbtn.com
© 1999 Virus Bulletin Ltd.
Failure to follow instructions EXACTLY may
cause problems in accessing the internet or email
from your computer! I make or imply no
guarantees. If you choose to use the information
here, it is of your own free will. You are solely
responsible for the care of your computer. If you
do not feel comfortable with your level of
knowledge, or your ability to accurately follow
these procedures, contact a local computer
technician. Most problems are a result of not
following the directions in order or by misspelling
commands. If you are careful, however, you
should have no problems.
1) If you have not already done so since
running the Happy99 program, restart
your computer. This step is important
because the virus does not complete
the infection process until you restart
the computer. By following this step before
deleting any files, you are less likely to
encounter any error messages in the
removal procedure.
2) If you have not already done so, delete the
Happy99 program from wherever you saved it.
If you aren't sure where it is, go to your start
button and use "find" then "files" on the
menu. Search for Happy99.exe. Once you
find it, delete it.
3) Make SURE all internet related programs
are turned off (this includes instant messaging
services such as ICQ and AOL Instant
Messenger), then restart your computer
in MS-DOS mode (Click on the Start button,
select "shut down", then select "restart the
computer in MS-DOS mode").
4) Once it has restarted, you should see
C:\WINDOWS> on the screen.
5) Type in CD SYSTEM and press "enter".
You should see C:\WINDOWS\SYSTEM>
on the screen. If that doesn't get you
there, try CD C:\WINDOWS\SYSTEM or
CD WINDOWS\SYSTEM then press "enter".
6) Type in ATTRIB -H WSOCK32.DLL and press
"enter".
7) Type in ATTRIB -R WSOCK32.DLL and press
"enter".
8) Type in COPY WSOCK32.SKA WSOCK32.DLL
and press "enter".
9) If asked if you want to overwrite
wsock32.dll, type "y" for yes, then
"enter" and go to step 10.
*** If you get a message indicating FILE NOT
*** FOUND, complete steps 10, 11, and 13. Then,
*** return to Windows, click here and
*** save the program wsockupd.exe someplace
*** where you can find it. Lastly, run the
*** program. Do not do this if step 9 works.
10) Type DEL SKA.DLL, press "enter". If you
get a message saying "file not found",
or "cannot delete", type ATTRIB -H SKA.DLL,
then press "enter", then type ATTRIB -R SKA.DLL,
then press "enter", then type DEL SKA.DLL,
then "enter".
11) Type DEL SKA.EXE, press "enter". If you
get a message saying "file not found",
or "cannot delete", type ATTRIB -H SKA.EXE,
then press "enter", then type ATTRIB -R SKA.EXE,
then press "enter", then type DEL SKA.EXE,
then "enter".
12) *OPTIONAL* If you have followed
all of the steps correctly, you may
type DEL WSOCK32.SKA and press "enter".
13) Type in EXIT and press "enter".
Once you have returned to Windows, you might
want to find the file "liste.ska" using the "find files"
function on the start button. If you have not
actually sent the virus to anyone, you won't find
this file. You can open this file by double-clicking
and selecting "notepad" when asked which program
to use to open it. Inside of the file is a list of people
to whom you have emailed the virus. You should
contact them and let them know about the virus.
You might want to tell them about this website so
that they can get rid of it. After this, you can delete
the file.
That should take care of the Happy99 virus.
HOWEVER - unless you are running antivirus
software with an updated data or definition file, you
could easily catch this virus again or another one. If
you already have the software, you should update
your data or definition files at least monthly. If you
do not have antivirus software, you can follow one
of the links on this page to obtain more information
about several programs available from
Beyond.com.
Melissa virus
GENERAL INFORMATION
************************
Even if your computer hasn't been infected by the Melissa virus, you
can see first-hand how fast it can spread. Within a few days,
hundreds of thousands of computers have been infected, it's on all
the news channels and being talked about around the world.
Fortunalety, there are precautions that can be taken to avoid the
unpleasant experience of being Melissa(ed).
First and foremost, do NOT open attachments that you are not
expecting or that come from unknown sources. This is how the virus
spreads. You receive an email with the subject heading "Important
message from someone you know" and an attached Word
document called "list.doc". When opened it runs a macro (a script
containing instructions) that sends an email to the first 50 people
found in your address book or folders. (The name of the attachment
may have changed).
DISABLING AUTOMATIC MACRO EXECUTION
*******************************************
For Word '97 users :
Tools à Options à General : Check 'Macro virus
protection' checkbox.
For Word 2000 users :
Tools à Macro à Security : Choose High, Medium, or
Low. Setting to medium will prompt you when a macro is
contained in a Word document. You will then accept or
disallow macro from being run.
HOW TO PROTECT YOURSELF FROM MELISSA
********************************************
Remember, your computer will not be infected if you don't open the
attachment. Send a message to the sender telling him/her their
computer has been infected by the virus and suggest the following
tools to get rid of Melissa:
- http://www.zdnet.com/swlib/hotfiles/virus399.html
For more information on the Melissa Virus, visit the following sites:
- MSNBC
- YAHOO
- ZDNET
- SYMANTEC
W97 M.Melissa.A (a.k.a Melissa)
Visit my Happy99 virus page and download my free Happy99Cleaner program
Chernobyl virus information
What is W97 M.Melissa.A?
Melissa is a Microsoft Word macro virus. A macro is a tiny program. Typically they are
used
to reduce the amount of manual clicking and typing one has to do by automating tasks that
are
performed often. Through macros, the virus alters the Microsoft Outlook email program so
that
the virus gets sent to the first 50 people in your address book. It does not corrupt any
data on
your hard drive or make your computer crash. It just changes some Word settings and sends
itself to the people you do not want to infect.
How do I get it?
Melissa arrives as an email attachment. The subject of the message containing the virus
will
read, "Important Message From " followed by the name of the person who's email
account it
was sent from. The body of the message reads, "Here is that document you asked for
... don't
show anyone else ;-)" Double clicking the attached Word document (typically named
LIST.DOC) will infect your machine.
Who's at risk?
People running Microsoft Word 97 or Word 2000. Macintosh users are immune.
What exactly does the virus do to my computer?
First the virus looks for the registry key
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?
to have a value of "...by Kwyjibo". If it does, then the virus knows that it has
already sent itself
out to everyone and will not try to again. If it does not, then it opens MS Outlook, and
sends
itself as described above. Once infected, whenever a Word document is opened or closed at
a
time where the minute is the same number as the day of the month (ie. 12:06 on May 6th)
then
the following sentence is inserted into the document: "Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta
here."
Melissa also disables Word's built in macro virus protection and attaches itself to your
Normal.dot template so all new messages contain the virus. For this reason you can spread
the
virus by sending out an infected Word document even if you don't use Outlook.
Is there a way that I can protect myself?
Yes. ZDNet has a free protection program that you can use called ByeMelissa
http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/info.html?fcode=000YPG&b=
W97M.Mailissa
Alias: W97M.Melissa
Infection Length: one VBA5 module named Melissa
Area of Infection: Microsoft Word 97 documents
Likelihood: common
Region Reported: US
Keys: Macro, Wild
Description:
W97M.Mailissa is a common macro virus with a unique payload.
Similar to W97M.Pri, the virus turns off the security protection upon opening an infected
document
in MS Word 2000. This disables MS Word 2000 macro prompt the next time the document is
opened.
It infects MS Word 97 document by adding a new VBA5 (macro) module named Melissa.
Although there is nothing unique in the infection routine of this macro virus, it has a
payload that
utilizes MS Outlook to send an attachment of the infected MS Word 97 document being
opened.
This virus can replace the text of the document with:
" Twenty-two points, plus triple-word-score, plus fifty points for using all my
letters. Game's over.
I'm outta here." For more information please visit the Symantec AntiVirus Research
Center.
|
