archiv~1.txt: SETI Re: Hits: Fw: (meteorobs) FW: [ASTRO] Public Service Announcement

SETI Re: Hits: Fw: (meteorobs) FW: [ASTRO] Public Service Announcement

Daniel Boyd Fox ( foxd@indiana.edu )
Mon, 29 Mar 1999 08:40:39 -0500 (EST)

Yes, this is a REAL macro-virus. IU got hit with it friday. I looked
at the macro and found the lines:

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

Any idea what a Kwyjibo is? I did a web search and the only two places I
could find it were in the Simpson's Anti-FAQ (which fits with a quotation
the virus sometimes inserts in documents) and a Rocky Horror Page which
had email signed from "A Kwyjibo" in Dresden, Germany.

73,
Daniel Fox
KF9ET

On Mon, 29 Mar 1999, KEN UK wrote:

> Hi all,
>
> I would not normally forward this type of message, but in this instance I
> think you all might benefit from it's contents............Best regards, Ken
> UK.
> -----Original Message-----
> From: Wayne T Hally <meteors@eclipse.net>
> To: 'meteorobs@jovian.com' <meteorobs@jovian.com>
> Date: Monday, March 29, 1999 12:31 AM
> Subject: (meteorobs) FW: [ASTRO] Public Service Announcement
>
>
> >Hi All,
> > I don't usually do this, but as a fairly experienced e-mail and web user,
> >this threat seems real enough, so I thought I'd forward it to the list. I
> >am aware of the many hoaxes, but as far as I can tell, this is a real,
> >uninnoculated threat, so I thought I'd forward what I had. If I'm a doofus
> >for being taken in, so be it....my cranial filter says this could be a real
> >threat.
> >
> >Wayne
> >
> >PS see the URL here for a documented real hoax/threat site
> >http://www.ciac.org/ciac/bulletins/j-037.shtml
> >
> >----------
> >From: Mark Taylor[SMTP:mctaylor@mindspring.com]
> >Sent: Saturday, March 27, 1999 3:30 PM
> >To: (My astronomy friends at:) sjaa@seds.lpl.arizona.edu;
> >sf-bay-tac@seds.lpl.arizona.edu; astro@lists.mindspring.com;
> >shallow-sky@lists.best.com
> >Subject: [ASTRO] Public Service Announcement
> >
> >There are a lot of email messages out there warning you not to open mail
> >messages with one subject line or another. 99.99% of these are bogus,
> >but this is the second REAL one I've seen as many weeks!! Both of the
> >viruses have nailed us where I work, so I know first hand just how real
> >they are.
> >
> >Unfortunately I no longer have the warning details for the first one,
> >("happy99" - if you see that name, DELETE it) but here's the scoop on
> >the latest and most viscious of the two (called "W97M_Melissa virus")...
> >
> >If a mail message comes in from <someone you probably know>
> >and the subject reads:
> > Subject: Important message from <someone you probably know>
> >and the body contains text like:
> > Here is that document you asked for ... don't show anyone else ;-)
> >and there is a WORD document attached....
> >
> > DELETE IT IMMEDIATELY WITHOUT OPENING THE WORD FILE!!!!
> >
> >This is a VISCIOUS one. Here's the full techie details on the virus...
> >
> >Regards,
> > Mark
> >======================================================================
> >Date: Sat, 27 Mar 1999 07:05:36 -0500
> >:
> >From: CERT Advisory <cert-advisory@cert.org>
> >To: cert-advisory@coal.cert.org
> >Subject: CERT Advisory CA-99.04 - Melissa Macro Virus
> >Reply-To: cert-advisory-request@cert.org
> >Organization: CERT(sm) Coordination Center - +1 412-268-7090
> >:
> >:
> >:
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >CERT Advisory CA-99-04-Melissa-Macro-Virus
> >
> > Original issue date: Saturday March 27 1999
> > Last Revised: Saturday March 27, 1999
> >
> >Systems Affected
> >
> > * Machines with Microsoft Word 97 or Word 2000
> > * Any mail handling system could experience performance problems or
> > a denial of service as a result of the propagation of this macro
> > virus.
> >
> >Overview
> >
> > At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began
> > receiving reports of a Microsoft Word 97 and Word 2000 macro virus
> > which is propagating via email attachments. The number and variety of
> > reports we have received indicate that this is a widespread attack
> > affecting a variety of sites.
> >
> > Our analysis of this macro virus indicates that human action (in the
> > form of a user opening an infected Word document) is required for this
> > virus to propagate. It is possible that under some mailer
> > configurations, a user might automatically open an infected document
> > received in the form of an email attachment. This macro virus is not
> > known to exploit any new vulnerabilities. While the primary transport
> > mechanism of this virus is via email, any way of transferring files
> > can also propagate the virus.
> >
> > Anti-virus software vendors have called this macro virus the Melissa
> > macro or W97M_Melissa virus.
> >
> >I. Description
> >
> > The Melissa macro virus propagates in the form of an email message
> > containing an infected Word document as an attachment. The transport
> > message has most frequently been reported to contain the following
> > Subject header
> >
> > Subject: Important Message From <name>
> >
> > Where <name> is the full name of the user sending the message.
> >
> > The body of the message is a multipart MIME message containing two
> > sections. The first section of the message (Content-Type: text/plain)
> > contains the following text.
> >
> > Here is that document you asked for ... don't show anyone else ;-)
> >
> > The next section (Content-Type: application/msword) was initially
> > reported to be a document called "list.doc". This document contains
> > references to pornographic web sites. As this macro virus spreads we
> > are likely to see documents with other names. In fact, under certain
> > conditions the virus may generate attachments with documents created
> > by the victim.
> >
> > When a user opens an infected .doc file with Microsoft Word97 or
> > Word2000, the macro virus is immediately executed if macros are
> > enabled.
> >
> > Upon execution, the virus first lowers the macro security settings to
> > permit all macros to run when documents are opened in the future.
> > Therefore, the user will not be notified when the virus is executed in
> > the future.
> >
> > The macro then checks to see if the registry key
> >
> > "HKEY_Current_User\Software\Microsoft\Office\Melissa?"
> >
> > has a value of "... by Kwyjibo". If that registry key does not exist
> > or does not have a value of "... by Kwyjibo", the virus proceeds to
> > propagate itself by sending an email message in the format described
> > above to the first 50 entries in every MAPI address book readable by
> > the user executing the macro. Keep in mind that if any of these email
> > addresses are mailing lists, the message will be delivered to everyone
> > on the mailing lists. In order to successfully propagate, the affected
> > machine must have Microsoft Outlook installed; however, Outlook does
> > not need to be the mailer used to read the message.
> >
> > Next, the macro virus sets the value of the registry key to "... by
> > Kwyjibo". Setting this registry key causes the virus to only propagate
> > once per session. If the registry key does not persist through
> > sessions, the virus will propagate as described above once per every
> > session when a user opens an infected document. If the registry key
> > persists through sessions, the virus will no longer attempt to
> > propagate even if the affected user opens an infected document.
> >
> > The macro then infects the Normal.dot template file. By default, all
> > Word documents utilize the Normal.dot template; thus, any newly
> > created Word document will be infected. Because unpatched versions of
> > Word97 may trust macros in templates the virus may execute without
> > warning. For more information please see:
> >
> > http://www.microsoft.com/security/bulletins/ms99-002.asp
> >
> > Finally, if the minute of the hour matches the day of the month at
> > this point, the macro inserts into the current document the message
> > "Twenty-two points, plus triple-word-score, plus fifty points for
> > using all my letters. Game's over. I'm outta here."
> >
> > Note that if you open an infected document with macros disabled and
> > look at the list of macros in this document, neither Word97 nor
> > Word2000 list the macro. The code is actually VBA (Visual Basic for
> > Applications) code associated with the "document.open" method. You can
> > see the code by going into the Visual Basic editor.
> >
> > If you receive one of these messages, keep in mind that the message
> > came from someone who is affected by this virus and they are not
> > necessarily targeting you. We encourage you to contact any users from
> > which you have received such a message. Also, we are interested in
> > understanding the scope of this activity; therefore, we would
> > appreciate if you would report any instance of this activity to us
> > according to our Incident Reporting Guidelines document available at:
> >
> > http://www.cert.org/tech_tips/incident_reporting.html
> >
> >II. Impact
> >
> > * Users who open an infected document in Word97 or Word2000 with
> > macros enabled will infect the Normal.dot template causing any
> > documents referencing this template to be infected with this macro
> > virus. If the infected document is opened by another user, the
> > document, including the macro virus, will propagate. Note that
> > this could cause the user's document to be propagated instead of
> > the original document, and thereby leak sensitive information.
> >
> > * Indirectly, this virus could cause a denial of service on mail
> > servers. Many large sites have reported performance problems with
> > their mail servers as a result of the propagation of this virus.
> >
> >III. Solutions
> >
> > * Block messages with the signature of this virus at your mail
> >transfer
> > agents.
> >
> > With Sendmail
> >
> > Nick Christenson of sendmail.com provided information about
> > configuring sendmail to filter out messages that may contain the
> > Melissa virus. This information is available from the follow URL:
> > ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m
> > elissa-filter.txt
> >
> > * Utilize virus scanners
> >
> > Most virus scanning tools will detect and clean macro viruses. In
> > order to detect and clean current viruses you must keep your
> > scanning tools up to date with the latest definition files.
> >
> > + McAfee / Network Associates
> >
> > http://vil.mcafee.com/vil/vm10120.asp
> >
> > http://www.avertlabs.com/public/datafiles/valerts/vinfo/melis
> >sa.asp
> >
> > + Symantec
> >
> > http://www.symantec.com/avcenter/venc/data/mailissa.html
> >
> > + Trend Micro
> >
> > http://housecall.antivirus.com/smex_housecall/technotes.html
> >
> > * Encourage users at your site to disable macros in Microsoft Word
> >
> > Notify all of your users of the problem and encourage them to
> > disable macros in Word. You may also wish to encourage users to
> > disable macros in any product that contains a macro language as
> > this sort of problem is not limited to Microsoft Word.
> >
> > In Word97 you can disable automatic macro execution (click
> > Tools/Options/General then turn on the 'Macro virus protection'
> > checkbox). In Word2000 macro execution is controlled by a security
> > level variable similar to Internet Explorer (click on
> > Tools/Macro/Security and choose High, Medium, or Low). In that
> > case, 'High' silently ignores the VBA code, Medium prompts in the
> > way Word97 does to let you enable or disable the VBA code, and
> > 'Low' just runs it.
> >
> > Word2000 supports Authenticode on the VB code. In the 'High'
> > setting you can specify sites that you trust and code from those
> > sites will run.
> >
> > * General protection from Word Macro Viruses
> >
> > For information about macro viruses in general, we encourage you
> > to review the document "Free Macro AntiVirus Techniques" by Chengi
> > Jimmy Kuo which is available at.
> >
> > http://www.nai.com/services/support/vr/free.asp
> >
> >Acknowledgements
> >
> > We would like to thank Jimmy Kuo of Network Associates, Eric Allman
> > and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and
> > Jason Garms and Karan Khanna of Microsoft for providing information
> > used in this advisory.
> >
> > Additionally we would like to thank the many sites who reported this
> > activity.
> > ______________________________________________________________________
> >
> > This document is available from:
> > http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html.
> > ______________________________________________________________________
> >
> >CERT/CC Contact Information
> >
> > Email: cert@cert.org
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> > Monday through Friday; they are on call for emergencies during other
> > hours, on U.S. holidays, and on weekends.
> >
> >Using encryption
> >
> > We strongly urge you to encrypt sensitive information sent by email.
> > Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
> > If you prefer to use DES, please call the CERT hotline for more
> > information.
> >
> >Getting security information
> >
> > CERT publications and other security information are available from
> > our web site http://www.cert.org/.
> >
> > To be added to our mailing list for advisories and bulletins, send
> > email to cert-advisory-request@cert.org and include SUBSCRIBE
> > your-email-address in the subject of your message.
> >
> > Copyright 1999 Carnegie Mellon University.
> > Conditions for use, disclaimers, and sponsorship information can be
> > found in http://www.cert.org/legal_stuff.html.
> >
> > * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > Patent and Trademark Office
> > ______________________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and the Software
> > Engineering Institute is furnished on an "as is" basis. Carnegie
> > Mellon University makes no warranties of any kind, either expressed or
> > implied as to any matter including, but not limited to, warranty of
> > fitness for a particular purpose or merchantability, exclusivity or
> > results obtained from use of the material. Carnegie Mellon University
> > does not make any warranty of any kind with respect to freedom from
> > patent, trademark, or copyright infringement.
> > ______________________________________________________________________
> >
> >Revision History
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: 2.6.2
> >
> >iQCVAwUBNvy9H3VP+x0t4w7BAQG1ggP7B8ItzTRpkP2O8JK7olIOdmn072PIZZxE
> >mJDW+A9fLDvRZQlVDSsFz/aH8ivmhor5ZbvtT14OmfIZWvxYdFnbO/s2WYL7+fV5
> >jL6mSb4AJ6lRXIYii+t22V0lvqJdP6VRFqy9EibpMtU2dhgFYf3TKX5e6wajOmBx
> >bZ6Ef5jPilA=
> >=aABH
> >-----END PGP SIGNATURE-----
> >======================================================================
> >
> >
> >
> >To UNSUBSCRIBE from the 'meteorobs' email list, use the Web form at:
> >http://www.tiac.net/users/lewkaren/meteorobs/subscribe.html
> >
>