"Measure by measure, drop by drop
And pound for pound we're taking stock
Of all the treasures still unlocked…"
Echo and the Bunnymen, "Never Stop"
The dust has hardly settled on Network Associates Inc. (NAI) charge onto the
Internet, heralding danger to the entire 'Net with the WinNT worm, "Remote
Explorer." (See my previous "Hoax du Jour," Remote Explorer of My Eye.) NAI was at
it again last Friday, beating the bushes (and media reporters) with the
hysterical news that a malicious "e-mail virus" was threatening the
computing world.
"The proliferation of this virus is something we've never seen before,"
said Srivats Sampath, a general manager at Network Associates. He said that
60,000 people at one company had been affected. He refused to identify the
company.
Mary Jo Foley, Sm@rt Reseller Lisa M. Bowman, ZDNN
The surprise is that the virus, "Melissa" ("W97m/Melissa"), is
actually no hoax. In my opinion, it's an inspired Word template macro
virus ... with an very clever payload.
Last Friday, March 26, 1999, Network Associates Inc. (formerly McAfee
Associates) informed MSNBC, ZDNET, and other media outlets of an e-mail
attachment virus which was attaching Microsoft, Intel, and various other
un-named corporations. Allegedly, Microsoft shut off its mail servers to
prevent a complete "denial of service" shut down of their Exchange servers,
and to halt further spread of the virus. Waggener Edstrom, Microsoft's PR
firm, also experienced problems.
Trend Micro and Symantec also jumped into the fray, confirming that numerous contacts
had been experiencing overloads of Exchange mail servers.
"We've been swamped all day with customers calling in with this," said
Dan Schrader, director of product marketing at Trend Micro. "It's spreading
extremely quickly. Twenty major corporate sites have called us."
... Network Associates estimated the virus has already hit hundreds of
thousands of computers.
By Stephen Shankland, staff writer, CNET News.com
By Saturday, March 27, CERT (Carnegie Mellon's Department of Defense-funded computer
security team, the Computer Emergency Response Team) had
identified the virus, and developed a fix. CERT issued an advisory about
the virus, only the second advisory the team has issued for a virus since
it was founded ten years ago.
CERT first heard of the virus Friday afternoon and its members worked
through the night to analyze the virus and develop a fix, CERT manager
Katherine Fithen said.
"We're getting so many reports from across the world, that we know
this is going to be a huge problem come Monday," Fithen said.
The Associated Press, on CNN.com
Katherine Fithen couldn't confirm in her interview if she knew of
government sites that had been hit. No problem! The Department of
Energy's CIAC
bulletin about "Melissa" on Saturday openly acknowledged that
several DOE sites had detected the virus on their systems. "A new Word 97
macro virus named W97M.Melissa has been detected at multiple DOE
sites and is known to be spreading widely."
Risk of infection is high. This virus is spreading widely within and
without of the DOE complex. The risk of damage to your system is low
because most users do not have macros in files and would be alerted by
Word's macro detector. The risk of lost productivity and lost mail messages
is high as mail servers may have to be shut down and purged of infected
mail messages.
Where do you want to go today?
As documented in the CERT and CIAC alerts, "Melissa" isn't a vicious
virus. In fact, other than it's highly unusual "payload," it's not nearly
as destructive as other file attachment macro viruses and Trojan
programs.
What may not be made startingly clear in the frantic news reports, is
that "Melissa" ONLY works in Word 97 or 2000. Systems
WITHOUT Outlook may still be infected, but cannot
automagically send the virus. "Melissa" doesn't exploit any new
vulnerabilities.
In fact, according to Stephen
Shankland's article on CNET, "Melissa" is not unlike a buggy little
virus called "Share Fun" that emerged in 1997.
Alas, "Melissa" is far from buggy. Though Microsoft identified the security
vulnerability in Word attachments sent via e-mail several months ago,
apparently many sites have not implemented the free Word 97
Template Security Patch, WD97SP.EXE.
This is what has allowed Melissa to run
rampant among corporate sites that depend on the combination of
Word, Outlook and Exchange servers.
Based on a day's worth of crash course research, here's my summary of
"Melissa's" modus operandi.
The user receives an e-mail,usually from a known contact:
SUBJ: Important Message From...
Here is that document you asked for ... don't show
anyone else ;-)
The subject line, "Important message from..." ends with the sender's
name. Pretty convincing, eh?
The attached Word file, LIST.DOC in most instances, contains a list of
pornographic Web sites, and the "Melissa" macro code. The macro attaches
its Visual Basic for Applications (VBA) module to the NORMAL.DOT template,
and then blocks access to Word's Tools | Macro
toolbar [source: CIAC, Woody's Office
Watch newsletter].
It then disables some Word settings that can
further interfere with macro viruses, "Confirm conversions at open," "Macro
virus protection," and "Prompt to save Normal template" [source: CIAC].
Now active on the system, "Melissa" searches the Registry for a key
indicating that "Melissa" has visited before. Finding none, it adds
one,
The macro then ascertains the user's name from
Application.UserName, which users enter into Word's profile, and
creates an e-mail message addressed to the first 50 contacts listed in the
user's Outlook address book (NOT Outlook Express). With this information,
it sends a copy of the message, now identified as "Important message
from {Application.UserName}," with the Word document attached.
A scary note from Woody's Office
Watch newsletter (echoed in the CIAC bulletin): "Melissa"
sends itself to 50 contacts from EACH of the address and contact
lists you have access to in Outlook. Translation: your infection could
result in 50, or 100, or 150, or 200 messages leaving with your name as the
sender, depending on your Exchange server configuration. Eek!
Finally, it infects NORMAL.DOT by attaching itself to either the
Document_Open or Document_Close commands, so that it can
infect every Word document that a user works on subsequently.
Bonus payload: if the user happens to have a Word document open at a time when
the minutes are equivalent to the date (say, 9:01 on
April 1), it will copy a Bart Simpson quote into the file: "Twenty-two
points, plus triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here." Cute, eh?
Points to be determined later:
At this date, Outlook Express and other mail readers ARE NOT VULNERABLE
[Source: CIAC].
User intervention is REQUIRED, namely by opening the Word attachment. Some mail
programs may be configured to automatically open attachments. This would be
BAD.
Though this virus is spread primarily via e-mail, an infected Word file
may be transported by any other means (floppy, FTP, CD-ROM, Web site,
etc.). The virus is just as likely to infect and send itself out via Outlook from
a file acquired by means other than e-mail.
It hasn't been specified what danger exists for users of Word 98 for
Macintosh, since Macs don't have a Registry consistent with Winows. It may
be that Mac users can harbor the virus in infected Word documents.
"It's an e-mail virus!
It's a worm!"
No ... it's a SPAM 'BOT.
"Security experts" are debating whether "Melissa" is a new, horribly
fiendish macro virus, or a very clever network worm.
(Antivirus developers always have a stable full of "experts" whom they wind
up like so many Chatty Cathy's for an appreciative audience of reporters.)
Again, see my previous column, Remote
Explorer of My Eye for a discussion of Internet worms.
Apparently even the macro's author was conscious of this issue; the
macro contains these gleeful comments in its VBA code:
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
By Sunday, I was engaging in a playful argument with two gentlemen far
more qualified than I to analyze virus alerts, Rob Rosenberger (webmaster of
the Computer Virus Myths home
page) and George Smith (editor of The Crypt Newsletter, and author of
The
Virus Creation Labs). Between
us, we've discussed whether this is possibly the work of a spammer
promoting a series of adult Web sites ... or a if the URLs are simply
"sucker bait," inserted to entice users to open the document, and perhaps
manually redistribute it to friends.
This last point gave me an idea.
Like a worm, this virus has had such success at some sites, that mail
servers have been experiencing very real "denial of service" crises. Unlike
a worm, the virus doesn't communicate with other "segments" on connected
computers or servers.
Nor is this another "e-mail virus" that "Good Times-style" hoaxes
purport to warn us about -- with a very few exceptions, you still
can't get a virus just by reading a message. "Melissa" does not represent a
major breakthrough in virus authoring.
But IT DOES represent a marvelous evolution in the realm of chain
e-mail and "Forwardables." As I discuss in my "e-v-mail" page, "Forwardables" are messages that rely
on the USER'S faulty sense of skepticism, and inclination to send the
e-mail to as many people as possible. But until now, manual intervention has always
been required, in the form of a user falling victim to the embedded "thought virus" and clicking a FORWARD button.
This is clearly not the case with "Melissa." Once the Word file has been
opened, the chain e-mail, or "spam," is sent from the user's computer
without any manual intervention.
... "Melissa" may well be the first heuristic,
autonomic, self-regenerating SPAM 'BOT.
"Open the pod bay doors, please, Hal."
In more ways than one, "Melissa" reminds me of the HAL-9000
super-computer in Stanley Kubrick's masterpiece, 2001: a space
odyssey. HAL, as you may recall, was caught in a deception by the
Discovery's mission commander, Dave Bowman, during an informal chat.
Reacting quickly, HAL fabricated a false warning about a component
of the ship's communications system failing within 72 hours ...
unless the ship's crew conducted an EVA to retrieve and replace
the AE-35 unit. When they did so, and found nothing wrong with it, they
considered HAL at fault.
During a subsequent repair attempt, HAL murdered Frank Poole (the ship's
second in command), shut down the life support systems of three hibernating
survey team members, and trapped Bowman outside the ship. All while
professing unrepentent devotion to the true mission of the Discovery,
which HAL had been ordered to keep secret from the crew.
Like Dr. Heywood Floyd's fountain pen floating inside the Space
Clipper cabin, and the nuclear satellites orbiting the earth outside, HAL was a
symbolic heir to the lethal bone that Moonwatcher hurled to the heavens after
killing a rival man-ape. Like that bone (and the pen, and the bombs), HAL
was an artifact which carried out man's desires to acquire and protect
resources, information.
Like HAL, "Melissa" seeks out secret information and protected
resources, and then carries out its own ironic agenda.
Unsolicited commercial e-mail, or e-j-mail (as I called it almost
three years ago) is a deception that plays on irony. I receive e-j-mail
daily, almost hourly, and I have yet to receive a message which is entirely
candid about its origin and purpose. Generally, e-j-mail arrives missives
like "This is in response to your inquiry," or "You are on this list
because you expressed interest...." Rarely are the mail headers in e-j-mail
accurate. I'm sure that "Melissa's" LIST.DOC is no different from dozens of
other underwhelming adult "spams" that I receive regularly.
"Melissa" goes further than most e-j-mail, by removing any human
intervention in its mission to deliver its payload to as many users as
possible. It also spoofs the identity of the person who's been infected. As
a "spam 'bot," it is almost ideally suited to its purpose -- if its true
purpose is to only promote the sites listed in LIST.DOC,... which is doubtful.
George Smith cautioned me that the porn URLs may only be "sucker bait"
to entice users to open the document. This is an old trick, a device to
deliver the virus. In such cases, the propagation of the virus is the
ultimate goal. I concur. "Melissa" may be a "dry run" before a
truly malicious version is unleashed. (Already, a copy-cat version called
"Papa" has been reported.)
Like HAL-9000 in the film, "Melissa" is a tool created by man, now
self-reliant and proceeding on its own. Like HAL, it carries out its
mission without supervision, with selfless abandon, completely independent
of its creator. The author's intentions are, at the moment, a complete
mystery.
Like HAL, "Melissa" cannot be reasoned with. Only "disconnected."
Taking the podium and making an arrogant prediction,... I have no doubt
that various "Melissa" warnings will mutate into reconstituted versions of
"Good Times." No doubt.
Mind you, it's not a matter of "who," or a matter of "how." Only a
matter of "when." Last Friday, I received a warning about the "Happy99"
file attachment ... a warning which fudged the details, and warned against
opening the e-mail itself. I believe that the same will happen to "Melissa"
before the week is out. By this morning, for example, CNN
correspondents had been confusing technical details of "Melissa's" M.O.
and warning readers who find the telltale e-mail, "don't open it."
In the meantime, here are my first, best suggestions for anyone who is
wary of "Melissa." Like all preventative cures, these steps require effort.
They're worth it, trust me.
If you receive an e-mail message like that described above, DON'T open
the attachment. (Well, duh.)
Don't open Word attachments and enable macros. Enable "Macro Virus
Protection" (see below) and click DISABLE MACROS when you open Word
attachments.
As always, treat all suspicious file attachments with
caution. When in doubt, delete it, and ask the sender what it was.
Please resist the impulse to send out your own warning about this. The
news is being spread just fine, thank you. Share the link to this page instead. (Don't
worry about me, I can handle the bandwidth.)
Several antivirus vendors have already posted vaccines and
recipes for protecting yourself from "Melissa." Please review their sites.
Again, share the links.
In Word, ensure that the Tools | Options |
General | Macro virus protection setting is CHECKED. When you open a
suspicious document, you'll be prompted about macros; click the DISABLE
MACROS button.
Follow the CIAC's recipe for protecting Word's main template, NORMAL.DOT, from insidious macros:
To password protect the Normal.dot file in Word 97, perform these steps:
Start Word.
Choose the Tools, Macro, Visual Basic Editor command.
In the Project window of the Visual Basic Editor, click on Normal.
Choose the Tools, Normal Properties command, Protection tab.
Check the Lock Project for Viewing check box and type in a password twice.
Close the dialog box, close the Visual Basic editor.
Quit Word.
The next time you start Word, the normal.dot template will be
protected.
WARNING: If you ever have to type in the password to make changes to the
normal.dot file be aware that the file remains unprotected until you quit
Word and restart it.
Install the Word 97 Viewer. If you already have Word 97 installed, Setup
will warn you that making the
viewer the DEFAULT application for Word files will interfere with your ability to
use Word as your e-mail editor (WordMail). Select the option to open Word files
in Word by default. Complete the Word Viewer installation.
In Explorer, open the Options | File Types tab.
Locate the "Microsoft Word Document" registered file type.
Here's where you'll need to exercise due care. Click the EDIT button.
You will probably see the "Open" command in bold, indicating that it is the
default action. Identify the "WordView" command. Highlight that command,
and click the SET DEFAULT button. Click OKAY as necessary to complete your changes.
Now, when you right-click on a Word file, "Open" is not the default action. Opening
the file in the Word 97 Viewer is. Select Open manually to edit Word files.
In Outlook 98, double-clicking (or opening) a Word file in an e-mail message
will launch the file in the Word 97 viewer, not Word.
In most normal contexts (say, double-clicking a Word file in Explorer), you
can hold down the SHIFT key to stop any macros from running. This also works
when you're creating a new document from a template. Just keep holding the
SHIFT key down until the document displays.
For some modicum of protection opening files with Word, you can
modify the "Open" command to prevent running the usual "auto macros." Since
some Word macro viruses (mind you, not all of them) will run themselves
within one of the automatic macros (AutoExec, AutoNew, AutoOpen,
AutoClose, AutoExit), you can open documents and avoid any functions
that are associated with the macros.
Again, a certain level of Windows expertise
and caution is required to implement this hack.
For more information on preventing automatic macros from running, ask
the annoyware Word Assistant "Control what happens when you start Microsoft Word?",
or seach in the Visual Basic help for the topic "Auto Macros."
In closing, I'd like to ask you once more NOT to take it upon yourself
to warn all your friends about "Melissa." If someone you know WARNS YOU, send them a link to one of the
antivirus sites, above, or the link to this page. Also, read my
"e-v-mail" page, and consider sending Aaron Lynch's
CC: Contagion Correction e-mail as a reply.
