The Melissa virus, also known as WM/Melissa or W97.Melissa is a Microsoft Word Macro Virus. It has recently been heavily reported in the media due to one of its primary distribution method. Melissa probably originated from an infected document placed on a public USENET server. The document purported to contain passwords to pornographic web sites and therefore was eagerly download. The Virus infected these users them and passed itself on via email. This is the reason it has spread so quickly.
The Virus is written in Microsoft Visual Basic for Applications, and for this reason it is extremely widespread. Most of the worlds companies are using Microsoft software and this virus has hit the larger organizations the hardest. The fact is, it is not the virus’s payload that is causing the problem but its major method of reproduction – I refer to it here as the mail bomb.
When Microsoft Word starts, it first opens an initial template file, by default called NORMAL.DOT. This template file resides, by default in the TEMPLATES directory of your Microsoft Office installation. The file contains your default Word settings, including any standard macros that you may use.
Melissa traps the ‘On Open’ event in Microsoft Word. This event is called every time a file is opened, including NORMAL.DOT. An unsuspecting user opens an infected document from any source and the virus swings into action.
The following happens each time an infected document is opened:
1. Melissa first switches off any error messages that may be produced
• This is done so you do not suspect anything is wrong, should the virus fail one of its actions.
2. Melissa checks the security level of Word 2000
• If the security level entry exists, ie if you have Word 2000 installed, then your protection is removed by setting macro virus security to its lowest level.
• The virus also disables the macro security option on your Word 2000 menus, thereby stopping you from altering your security settings from their lowest level.
• The virus disables the macro option on your Word 97 menus, thereby stopping you from deleting the virus from the current document or even verifying that you are infected.
• The virus disables the prompts that are displayed concerning file conversions, macro virus protection and saving your normal template. This is done so you do not suspect anything is wrong by receiving an odd prompt while it is propagating itself in the background.
3. Melissa instantiates an Outlook object, an email object, and a MAPI object.
• It requires each of these objects to send the email.
4. Melissa now checks for its registry key
• An infected machine contains the key: HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa? With the value of: "... by Kwyjibo"
5. If the registry key does not exist then Melissa attempts email distribution.
• The virus tests to see if its Outlook object is Microsoft Outlook.
• If your default MAPI client is other than Outlook or you do not have Outlook installed then the virus will fail its email distribution attempt, but you will not receive an error message due to step 1.
6. Melissa logs on to your default profile
• VBA may expose your Exchange password here. In most NT/Exchange installations your exchange password is also your NT logon password. - this has not been tested.
7. Melissa then finds the first address list in your address book
• In a typical Enterprise Exchange installation there maybe a number of Exchange servers dotted around the world all replicating their databases to each other, each server database could contain many address lists.
8. The virus grabs the first 50 addresses in the current address list and adds these to a recipient list for its mail bomb.
• Each entry in the address list could in its own right be a mailing list, containing more addresses.
9. The virus builds the rest of the email
• The Subject Line is: “Important Message From " followed by the username that Word was installed with, usually your or your company’s name.
• The Body is: "Here is that document you asked for ... don't show anyone else 
"
• The email is completed with the current document as an attachment. Theoretically this document could be anything, not just the original advert for porn site passwords – this has not been tested.
10. Melissa then moves to your next address list and cycles through steps 8 and 9 until all address lists have been sampled.
• In a typical Enterprise Exchange installation there maybe a considerable number of address lists each contributing 50 addresses to the mail bomb
11. The virus then logs off your Outlook Profile
12. Melissa then sets the registry key mentioned in step 4 so that the current victim does not send any more mail bombs.
• The rest of the virus code is concerned with the second method of propagation and the payload.
13. The virus checks for its existence in the active document and checks that the code module is called Melissa.
• Hence the name of the virus itself.
• If the code module is named other than Melissa then its name is changed.
14. The virus checks for its existence in the default template and checks that the code module is called Melissa.
• If the code module is named other than Melissa then its name is changed.
• If the active document does not contain the code module then the code is copied in line by line.
• If the default template does not contain the code module then the code is copied in line by line.
• Many macro viruses simply overwrite the default template with an infected version, thus losing the default settings and alerting the user, Melissa adds to the default template, making an infection harder to spot.
When a new document is created from the default template, the filename (unless altered in the template) defaults to “DocumentN” where N is the number of new documents created since Word was last started.
The virus is clever enough to recognise that a filename containing the word “Document” probably has not been saved. The virus will not save this document until you give it a filename. However if the document has been saved than the virus saves the file now containing itself. The virus also sets the “Document Saved” flag to true so that if you didn’t modify your document yourself you are not alerted with a “Save Changes” message when you close it.
• There are some comments in the virus containing the following text:
WORD/Melissa written by Kwyjibo
Works in both Word 2000 and Word 97
Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
15. The last thing the virus does is set the condition for the deployment of the payload.
• If the number of the current day is the same as the number of the current minute then following text is inserted into the current active document:
“Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”
• The message is a quote from Bart Simpson from The Simpsons it refers to a scrabble game he was playing against Lisa Simpson.
• The attributed author's name (Kwyjibo) is the word Bart used to get the high score mentioned in the payload message.
Issues concerning infection
1. The email is sent using the current user profile. The issue of profiles is thorny for virus removal as NT Server and Workstation keep users registry settings, Word documents, templates and other files separated from each user. Therefore any cleanup of this and indeed other Viruses will have to take into consideration the fact that a complete set of infected files could be sitting in a dormant user profile just waiting to be opened, starting the whole process off again. Not only that, but the registry entry is made and checked on the HKEY_CURRENT_USER branch. Therefore the next user who logs on to that machine could set the mail bomb off again. The mail bomb is delivered once per user NOT once per computer.
2. The virus logs on to your default Outlook profile and seems to have no problem with passwords. If the profile password is exposed, then in many cases so is the NT login password, as the two are often synchronised in a NT/Exchange installation. – This has not been tested.
3. The reason the virus has spread so fast is down to its primary propagation mechanism, the mail bomb. Consider 1 infected user who has at least 50 entries in his address list. Consider each of the fifty users he unwitting sent infected email to, also have at least 50 entries in their address lists, and so on. After 2 cycles there are 2500 infections after 3 cycles there are 125000 infections. After 10 cycles there are 97,656,250,000,000,000 possible infections.
4. By far the biggest problems caused by Melissa are the amounts of email being sent. Consider again the Enterprise Exchange installation with many sites and servers in each site. The sheer volume of email with attachments was simply maxing out the bandwidth available for inter-site communications. Thus effectively halting all inter-site communications until the email has all been passed. The costs for one medium sized corporate have been reliably estimated at £5 million sterling for this one virus alone.
5. If the registry key exists then the virus will not mail bomb, thus if a user inserts the key correctly by hand, then the virus will not mail bomb, should the user become infected at a later date. This will not however protect the user from variants that test for a different registry key.
6. Resetting of the Word 2000 Macro Virus Protection key in the registry will at least warn a user that there is a macro in the current document, and give them the option of disabling macros. The virus does not modify the Word 97 Macro Virus Protection key in the registry.
7. It would be relatively simple to modify this virus to be polymorphic. IE. The virus would slightly modify its code upon each infection, making detection, removal and protection far more difficult. This type of virus represents a major threat to the business community who are relying on Microsoft Word, Outlook and Exchange. More must be done to reduce the risk so that Anti-Virus companies are not constantly playing catchup. A suggestion has been made to me that the VBA functionality could be optionally switched off in future versions of Microsoft Office Products, thus allowing Systems Administrators the ability to remove the threat at a stroke from most of the users.
9:16 PM
| Comments [0] | #Security
