F-Secure Virus Descriptions : Melissa
|
|
|
| NAME: | Melissa |
| ALIAS: | Simpsons, Kwyjibo, Kwejeebo, Mailissa |
For more information on Melissa, see Global Melissa Information
Center at http://www.F-Secure.com/melissa/
A virulent and widespread computer virus was found on Friday, March
26, 1999. This virus has spread all over the globe within just hours
of the initial discovery, apparently spreading faster than any other
virus before.
The virus, known as W97M/Melissa, spreads by e-mailing itself
automatically from one user to another. When the virus activates it
modifies user's documents by inserting comments from the TV series
"The Simpsons". Even worse, it can send out confidential information
from the computer without users' notice.
The virus was discovered on Friday, late evening in Europe, early
morning in the US. For this reason, the virus spread in the USA during
Friday. Many multinational companies reported widespread infections,
including Microsoft and Intel. Microsoft closed down their whole
e-mail system to prevent any further spreading of the virus. The number
of infected computers is estimated to be tens of thousands so far and
it is rising quickly.
"We've never seen a virus spread so rapidly," comments Mikko Hypponen,
F-Secure's Manager of Anti-Virus Research. "We've seen a handful of
viruses that distribute themselves automatically over e-mail, but not
a single one of them has been as successful as Melissa in the real
world."
W97M/Melissa was initially distributed in an internet discussion group
called alt.sex. The virus was sent in a file called LIST.DOC, which
contained passwords for X-rated websites. When users downloaded the
file and opened it in Microsoft Word, a macro inside the document
executed and e-mailed the LIST.DOC file to 50 people listed in the
user's e-mail alias file ("address book").
The e-mail looked like this:
From: (name of infected user)
Subject: Important Message From (name of infected user)
To: (50 names from alias list)
Here is that document you asked for ... don't show anyone else ;-)
Attachment: LIST.DOC
Do notice that Melissa can arrive in any document, not necessarily
just in this LIST.DOC where it was spread initially.
Most of the recipients are likely to open a document attachment like
this, as it usually comes from someone they know.
After sending itself out, the virus continues to infect other Word
documents. Eventually, these files can end up being mailed to other
users as well. This can be potentially disastrous, as a user might
inadvertently send out confidential data to outsiders.
The virus activates if it is executed when the minutes of the hour
match the day of the month; for example, 18:27 on the 27th day of a
month. At this time the virus will insert the following phrase into
the current open document in Word: "Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters.
Game's over. I'm outta here". This text, as well as the alias name
of the author of the virus, "Kwyjibo", are all references to the
popular cartoon TV series called "The Simpsons". For more information
on this connection, see this Simpsons web page:
http://www.imada.ou.dk/~jews/TheSimpsonsArchive/episodes/7G02.html
"The virus won't spread much during this weekend. We will see the real
problem on Monday morning", continues Hypponen. "When a big company
gets infected, their e-mail servers are seriously slowed down and
might even crash, as people start to e-mail large document attachments
without realising it."
W97M/Melissa works with Microsoft Word 97, Microsoft Word 2000 and
Microsoft Outlook 97 or 98 e-mail client. You don't need to have
Microsoft Outlook to receive the virus in e-mail, but it will not
spread itself further without it.
Melissa will not work under Word 95.
Melissa will not spread further under Outlook Express.
Melissa can infect Windows 95, 98, NT and Macintosh users. If the
infected machine does not have Outlook or internet access at all, the
virus will continue to spread locally within the user's own documents.
If your Microsoft Exchange server gets infected, install a Gateway
scanner such as F-Secure Anti-Virus for Microsoft Exchange to protect
it. Microsoft has made a free tool available to clean up an infected
Exchange mail database at:
ftp://ftp.microsoft.com/transfer/outgoing/bussys/mail/melissa-virus.zip
The main difference between W97M/Melissa.I and W97M/Melissa.A is that
this variant uses a random number to select subject lines and message
bodies of outgoing messages from eight different alternatives:
1. Subject: Question for you...
It's fairly complicated so I've attached it.
2. Subject: Check this!!
This is some wicked stuff!
3. Subject: Cool Web Sites
Check out the Attached Document for a list of some of the best
Sites on the Web
4. Subject: 80mb Free Web Space!
Check out the Attached Document for details on how to obtain
the free space. It's cool, I've now got heaps of room.
5. Subject: Cheap Software
The attached document contains a list of web sites where you
can obtain Cheap Software
6. Subject: Cheap Hardware
I've attached a list of web sites where you can obtain Cheap
Hardware"
7. Subject: Free Music
Here is a list of places where you can obtain Free Music.
8. Subject: * Free Downloads
Here is a list of sites where you can obtain Free Downloads.
In the last subject, the asterisk will be replaced with a random
character.
Unlike W97M/Melissa.A, this variant uses a different registry key
(called "Empirical") to check whenever mass mailing has been done.
W97M/Melissa.I contains an additional payload as well. If the number
of minutes equals the number of hours, the virus inserts the following
text to the active document:
All empires fall, you just have to know where to push.
At the same time, the virus clears the mark from the registry causing
the mass mail part to be reactivated a soon as a document is
opened or closed, a new document is created or the Word is restarted.
This Melissa variant sends itself to 100 recipients from each Outlook
address book. The E-mail looks like this:
Subject: Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.
W97M/Melissa.U is a similar to W97M/Melissa.A. Unlike Melissa.A, this
variant uses the module name "Mmmmmmm" and it has a destructive
payload.
This variant deletes the following system files:
c:\command.com
c:\io.sys
d:\command.com
d:\io.sys
c:\Ntdetect.com
c:\Suhdlog.dat
d:\Suhdlog.dat
To do this, the virus removes hidden, system, read-only and archive
attributes from these files.
Unlike W97M/Melissa.A, it sends itself only to 4 recipients. The
message itself is also different:
Subject: pictures (user name)
Body: what's up ?
Where (user name) is replaced with Word's registered user name.
The following text will be added to every infected document:
Loading... No
and
>>>>Please Check Outlook Inbox Mail<<<<<
This variant has been detected since October 13th, 1999.
This variant is similar to W97M/Melissa.U. This variant sends itself
to 40 recipients and the message is different:
Subject: My pictures (user name)
The message body is empty, and (user name) is replaced with Word's
registered user name.
After W97M/Melissa.V has mailed itself, it will delete all files from
the root of the following drives:
M:
N:
O:
P:
Q:
s:
f:
I:
x:
z:
H:
L:
When this has been done, the virus shows a message box with the
following text:
Hint: Get Norton 2000 not McAfee 4.02
This variant has been detected since October 13th, 1999.
W97M/Melissa.W does not lower macro security settings in Word 2000.
Otherwise it is functionally equal with W97M/Melissa.A.
W97M/Melissa.AO uses Outlook to send e-mail message with:
Subject: Extremely URGENT: To All E-Mail User - <current date>
Body: This announcement is for all E-MAIL user. Please take
note that our E-Mail Server will down and we
recommended you to read the document which attached
with this E-Mail.
Attachment: <infected active document>
The payload activates at 10 am on 10th day of each month when the virus
inserts the following text to the active document:
Worm! Let's We Enjoy.
[Analysis: Katrin Tocheva, Mikko Hypponen and Sami Rautiainen, F-Secure]
|
![](/images/pixel.gif"){kind=tracking}
