Newsletter # 20


Unfortunately, we are seeing new viruses that plague us no end. Hopefully, this will find your computers up and running.
Ms. Boots


'Melissa' macro worms around Web E-mail Word attachment called list.doc contains virus/worm that sends copies of itself around Net By Bob Sullivan MSNBC March 27-
If you receive an e-mail with the subject line "Important message from ... ," be suspicious. If that message comes with a Word document attached called "list.doc," you've likely been sent the Word/Melissa macro virus. And if you open the document, it will send 50 copies of itself to several e-mail addresses it gleans from your personal e-mail.
That gives it the ability to propagate very quickly - much quicker than the happy99.exe worm, according to virus experts. IF YOU'VE BEEN infected, don't feel bad - experts think hundreds of thousands of PCs might have been infected in the two days the virus has been "in the wild."

The document itself contains a list of 73 pornographic Web sites, along with usernames and passwords for those sites. The virus may have been unleashed on the world Friday - it contains the text "Password List for March 26, 1999."
The virus can allow documents to be e-mailed to other people without warning, a potential security breach that should worry businesses and governments, an expert at Carnegie Mellon University said Saturday.
"Melissa" spreads via infected e-mail and attacks computers loaded with Microsoft's widely used Word 97 or Word 2000 programs, according to CERT - or Computer Emergency Response Team - Carnegie Mellon's Department of Defense-funded computer security team. CERT first heard of the virus Friday afternoon and its members worked through the night to analyze the virus and develop a fix, CERT manager Katherine Fithen said.
"We're getting so many reports from across the world., that we know this is going to be a huge problem come Monday," Fithen said. She noted that since CERT was founded 10 years ago, this is only the second time it has considered a virus important enough to warrant a public announcement. The first, in 1994, warned of a virus that allowed computer burglars to collect passwords.


CERT has not determined where the Melissa virus originated. Fithen said she is not allowed to say whether any governmental agency has suffered a security breach as the result of Melissa. Friday, a spokesman from Network Associates said the company received one e-mail every three minutes starting at 8 a.m. from clients complaining about the file.
"It's spreading much faster than happy99," he said. About 60,000 users were infected at the company which made the first complaint, said Srivhes Sampath, general manager of McAfee Online. "It pretty much brings mail systems to a halt ... We've never seen anything spread like this."

The Melissa macro is spreading so fast for two reasons; it sends 50 copies of itself out after it infects a user; and, it is often able to fool potential victims into thinking the mail came from a trusted source.
After infecting a user, the macro reads the victim's registry and gleans the user's name. It then sends 50 copies of itself to e-mail addresses included in that user's address book. The subject line of those mails includes the infected user's name (it reads "Important message from [user name]"), which often tricks potential victims into trusting the message and opening the attached document, according to Network Associates.
The user does not know he or she is infected until an e-mail recipient complains. "Word/Melissa written by Kwyjibo," is the text that accompanies the macro. The author also pokes fun at virus writers who he or she expects will argue about the exact classification of the pest, as often happens. "Works in both Word 2000 and Word 97. Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!"
Kwyjibo appears to be a reference to a "Simpson's" TV show episode in which Bart Simpson wins a Scrabble game by spelling out the word Kwyjibo. The virus also includes a line from that episode: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

The Associated Press contributed to this report.



Melissa is a Word 97 Class Module Macro virus that can also be upconverted to a Word 2000 Macro Virus. It was first discovered by NAI's Dr Solomon's VirusPatrol today on the newgroup. The virus has spread rapidly around the world, and has infected thousands


The virus can infect a system by being received from another infected user via Outlook. This appears to be the most common method of infection. Users will not know they have been infected, nor will the sender know the document has been sent. A user may become alerted to the infected document if the Macro Security settings are enabled. This warning will be displayed to the user when the document is opened.


When the infected document is opened, the virus checks for a setting in the registry to test if the system has already been infected. If the system hasn't been infected, the virus creates an entry in the registry: HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?" = "... by Kwyjibo" (If this key exists the email process will not execute, the virus will still infect. AVERT advises that it not be removed.) (As a preventive message you can create this registry key to prevent the virus from launching)
This virus also creates an Outlook object using Visual Basic instructions and reads the list of members from Outlook Global Address Book. An email message is created and sent to the first 50 recipients programmatically all the address books, one at a time. The message is created with the subject "Important Message From - <User Name>" The message body of text reads
"Here is that document you asked for ... don't show anyone else ;-)". The active infected document is attached and the email is sent. The most prevalent document being seen is one called List.DOC, however this is NOT the only document that can be sent or received. Once the system is infected all documents that are opened are infected. As any document can be sent, a user that receives the infected document, who hasn't been infected, can become infected with this document, and the process will continue.

The virus does have a payload. If the day equals the minute value, and the infected document is opened this text is inserted at the current cursor position:
" Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." This virus checks for low security in Office2000 by checking the value from the registry; if the value HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level" is not null, the virus will disable the "MACRO/SECURITY" menu option. Otherwise Word97 menu option "TOOLS/MACRO" is disabled.
Comments inside the macro virus include: 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

In other words, here we go again folks.. Suffice to say that if you receive such document, DON'T!! open it.. It was launched to the best of my knowledge around the 26th of March. Hope this gives you a bit more warning than the Happy99exe. Issue.

Compiled by Mig in hopes of safe computing for all



The Phoenix On-Line Foundation
La Fondation Phoenix En-Ligne
Chat, fun and help with facilitators
available for adaptive technologies.

*if you do not want to receive these newsletters just email us at and put unsubscribe in the subject or body.