(home page) Hoax du Jour tips on protecting yourself against "Melissa"
Microsoft: Microsoft Knowledge Base:
Got a question? Try Previous "Hoax du Jour" columns A More Wretched Hive of Scum & Villainy Call Now!
"You're Never Gonna Believe This..." Internet Access Charges & Taxation Death Threats and Disney Trips
Related topic: you know what e-mail is. But do you know what "e-v-mail" is? Related topic: rate your own Internet alert (or just-received warning from a well-meaning friend) against the Korova Drop-dead Internet Alert guide. Computer virus protection If you're not using anti-virus software, you need to consider getting some, and soon. Click here to choose some from Amazon.com. If you're connected to the Internet with an "always on," broadband connection (cable modem or DSL), consider getting some firewall software, or a hardware solution for your entire home network.
The "Hoax du Jour" is a recurring column providing updated
information and commentary on the Internet community. It is a feature of
Korova Multimedia's "e-v-mail" page.
About.com
Computer Virus Myths
The Curse of a Thousand Chain Letters
Lycos Guide: Urban Legends
The Motley Fool
ProjectCool
Suite101.com
Clean the hoax-y taste from your mouth with Nonstop Anonymous Monotonous Onomatopoeia, just for fun. Get a fresh perspective with Korova Truth. Think outside, way outside, of the box at ChromeJob.com. Rob Rosenberger: Barbara Mikkelson: David Emery:
by Jan Harold Brunvand
|
March 29, 1999
The dust has hardly settled on Network Associates Inc. (NAI) charge onto the Internet, heralding danger to the entire 'Net with the WinNT worm, "Remote Explorer." (See my previous "Hoax du Jour," Remote Explorer of My Eye.) NAI was at it again last Friday, beating the bushes (and media reporters) with the hysterical news that a malicious "e-mail virus" was threatening the computing world.
The surprise is that the virus, "Melissa" ("W97m/Melissa"), is actually no hoax. In my opinion, it's an inspired Word template macro virus ... with an very clever payload. Last Friday, March 26, 1999, Network Associates Inc. (formerly McAfee Associates) informed MSNBC, ZDNET, and other media outlets of an e-mail attachment virus which was attaching Microsoft, Intel, and various other un-named corporations. Allegedly, Microsoft shut off its mail servers to prevent a complete "denial of service" shut down of their Exchange servers, and to halt further spread of the virus. Waggener Edstrom, Microsoft's PR firm, also experienced problems. Trend Micro and Symantec also jumped into the fray, confirming that numerous contacts had been experiencing overloads of Exchange mail servers.
By Saturday, March 27, CERT (Carnegie Mellon's Department of Defense-funded computer security team, the Computer Emergency Response Team) had identified the virus, and developed a fix. CERT issued an advisory about the virus, only the second advisory the team has issued for a virus since it was founded ten years ago.
Katherine Fithen couldn't confirm in her interview if she knew of government sites that had been hit. No problem! The Department of Energy's CIAC bulletin about "Melissa" on Saturday openly acknowledged that several DOE sites had detected the virus on their systems. "A new Word 97 macro virus named W97M.Melissa has been detected at multiple DOE sites and is known to be spreading widely."
|
SUBJ: Important Message From...Here is that document you asked for ... don't show anyone else ;-) |
The subject line, "Important message from..." ends with the sender's name. Pretty convincing, eh?
The attached Word file, LIST.DOC in most instances, contains a list of pornographic Web sites, and the "Melissa" macro code. The macro attaches its Visual Basic for Applications (VBA) module to the NORMAL.DOT template, and then blocks access to Word's Tools | Macro toolbar [source: CIAC, Woody's Office Watch newsletter].
It then disables some Word settings that can further interfere with macro viruses, "Confirm conversions at open," "Macro virus protection," and "Prompt to save Normal template" [source: CIAC].
Now active on the system, "Melissa" searches the Registry for a key indicating that "Melissa" has visited before. Finding none, it adds one,
"HKEY_Current_User\Software\Microsoft\Office\Melissa?"
with the value
"... by Kwyjibo."
The macro then ascertains the user's name from Application.UserName, which users enter into Word's profile, and creates an e-mail message addressed to the first 50 contacts listed in the user's Outlook address book (NOT Outlook Express). With this information, it sends a copy of the message, now identified as "Important message from {Application.UserName}," with the Word document attached.
A scary note from Woody's Office Watch newsletter (echoed in the CIAC bulletin): "Melissa" sends itself to 50 contacts from EACH of the address and contact lists you have access to in Outlook. Translation: your infection could result in 50, or 100, or 150, or 200 messages leaving with your name as the sender, depending on your Exchange server configuration. Eek!
Finally, it infects NORMAL.DOT by attaching itself to either the Document_Open or Document_Close commands, so that it can infect every Word document that a user works on subsequently.
Bonus payload: if the user happens to have a Word document open at a time when the minutes are equivalent to the date (say, 9:01 on April 1), it will copy a Bart Simpson quote into the file: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Cute, eh?
Points to be determined later:
"Security experts" are debating whether "Melissa" is a new, horribly fiendish macro virus, or a very clever network worm. (Antivirus developers always have a stable full of "experts" whom they wind up like so many Chatty Cathy's for an appreciative audience of reporters.) Again, see my previous column, Remote Explorer of My Eye for a discussion of Internet worms.
Apparently even the macro's author was conscious of this issue; the macro contains these gleeful comments in its VBA code:
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
By Sunday, I was engaging in a playful argument with two gentlemen far more qualified than I to analyze virus alerts, Rob Rosenberger (webmaster of the Computer Virus Myths home page) and George Smith (editor of The Crypt Newsletter, and author of The Virus Creation Labs). Between us, we've discussed whether this is possibly the work of a spammer promoting a series of adult Web sites ... or a if the URLs are simply "sucker bait," inserted to entice users to open the document, and perhaps manually redistribute it to friends.
This last point gave me an idea.
Like a worm, this virus has had such success at some sites, that mail servers have been experiencing very real "denial of service" crises. Unlike a worm, the virus doesn't communicate with other "segments" on connected computers or servers.
Nor is this another "e-mail virus" that "Good Times-style" hoaxes purport to warn us about -- with a very few exceptions, you still can't get a virus just by reading a message. "Melissa" does not represent a major breakthrough in virus authoring.
But IT DOES represent a marvelous evolution in the realm of chain e-mail and "Forwardables." As I discuss in my "e-v-mail" page, "Forwardables" are messages that rely on the USER'S faulty sense of skepticism, and inclination to send the e-mail to as many people as possible. But until now, manual intervention has always been required, in the form of a user falling victim to the embedded "thought virus" and clicking a FORWARD button.
This is clearly not the case with "Melissa." Once the Word file has been opened, the chain e-mail, or "spam," is sent from the user's computer without any manual intervention.
... "Melissa" may well be the first heuristic, autonomic, self-regenerating SPAM 'BOT.
In more ways than one, "Melissa" reminds me of the HAL-9000 super-computer in Stanley Kubrick's masterpiece, 2001: a space odyssey. HAL, as you may recall, was caught in a deception by the Discovery's mission commander, Dave Bowman, during an informal chat. Reacting quickly, HAL fabricated a false warning about a component of the ship's communications system failing within 72 hours ... unless the ship's crew conducted an EVA to retrieve and replace the AE-35 unit. When they did so, and found nothing wrong with it, they considered HAL at fault.
During a subsequent repair attempt, HAL murdered Frank Poole (the ship's second in command), shut down the life support systems of three hibernating survey team members, and trapped Bowman outside the ship. All while professing unrepentent devotion to the true mission of the Discovery, which HAL had been ordered to keep secret from the crew.
Like Dr. Heywood Floyd's fountain pen floating inside the Space Clipper cabin, and the nuclear satellites orbiting the earth outside, HAL was a symbolic heir to the lethal bone that Moonwatcher hurled to the heavens after killing a rival man-ape. Like that bone (and the pen, and the bombs), HAL was an artifact which carried out man's desires to acquire and protect resources, information.
Like HAL, "Melissa" seeks out secret information and protected resources, and then carries out its own ironic agenda.
Unsolicited commercial e-mail, or e-j-mail (as I called it almost three years ago) is a deception that plays on irony. I receive e-j-mail daily, almost hourly, and I have yet to receive a message which is entirely candid about its origin and purpose. Generally, e-j-mail arrives missives like "This is in response to your inquiry," or "You are on this list because you expressed interest...." Rarely are the mail headers in e-j-mail accurate. I'm sure that "Melissa's" LIST.DOC is no different from dozens of other underwhelming adult "spams" that I receive regularly.
"Melissa" goes further than most e-j-mail, by removing any human intervention in its mission to deliver its payload to as many users as possible. It also spoofs the identity of the person who's been infected. As a "spam 'bot," it is almost ideally suited to its purpose -- if its true purpose is to only promote the sites listed in LIST.DOC,... which is doubtful.
George Smith cautioned me that the porn URLs may only be "sucker bait" to entice users to open the document. This is an old trick, a device to deliver the virus. In such cases, the propagation of the virus is the ultimate goal. I concur. "Melissa" may be a "dry run" before a truly malicious version is unleashed. (Already, a copy-cat version called "Papa" has been reported.)
Like HAL-9000 in the film, "Melissa" is a tool created by man, now self-reliant and proceeding on its own. Like HAL, it carries out its mission without supervision, with selfless abandon, completely independent of its creator. The author's intentions are, at the moment, a complete mystery.
Like HAL, "Melissa" cannot be reasoned with. Only "disconnected."
Taking the podium and making an arrogant prediction,... I have no doubt that various "Melissa" warnings will mutate into reconstituted versions of "Good Times." No doubt.
Mind you, it's not a matter of "who," or a matter of "how." Only a matter of "when." Last Friday, I received a warning about the "Happy99" file attachment ... a warning which fudged the details, and warned against opening the e-mail itself. I believe that the same will happen to "Melissa" before the week is out. By this morning, for example, CNN correspondents had been confusing technical details of "Melissa's" M.O. and warning readers who find the telltale e-mail, "don't open it."
In the meantime, here are my first, best suggestions for anyone who is wary of "Melissa." Like all preventative cures, these steps require effort. They're worth it, trust me.
To password protect the Normal.dot file in Word 97, perform these steps:
The next time you start Word, the normal.dot template will be protected.
WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it.
Remap the default action for Word documents to Word 97 Viewer (tested in Windows NT):
For more information on preventing automatic macros from running, ask the annoyware Word Assistant "Control what happens when you start Microsoft Word?", or seach in the Visual Basic help for the topic "Auto Macros."
In closing, I'd like to ask you once more NOT to take it upon yourself to warn all your friends about "Melissa." If someone you know WARNS YOU, send them a link to one of the antivirus sites, above, or the link to this page. Also, read my "e-v-mail" page, and consider sending Aaron Lynch's CC: Contagion Correction e-mail as a reply.
Page 1, 2 | Next Page»