- Email: [email protected]
Melissa's author caught
Network Security
April 7999
“Here is that document you asked for... don’t show anyone else ;-)”
/VIRUS NEWS Melissa spreading widely in USA A new Word 97
virus, W97M.Melissa has been detected at multiple DOE sites in the United States and is known to be spreading widely. This macro virus attaches to Word objects in Word 97 and Word 2000, but not older versions of Microsoft Word. When an infected document is opened the virus checks to see if Word 97 or Word 2000 is installed and then disables the Macro toolbar. It then disables the following Word options: l
Confirm conversions
l
Macro virus protection,
l
Prompt to template.
save
at open.
Normal
Disabling these options makes it difficult to detect the virus in action. Melissa then checks the value of the private registry string: HKEY_CURRENT_USERS\Software\ Microsoft \Office \Melissa? and if that string is not equal to u ,.. by Kwyjibo” the virus sends copies of the infected document to the first 50 people in each Outlook address book and then sets the registry key so it does not do this again. It then sends copies of the infected document to others by opening a connection to Microsoft Outlook and creating an E-mail message with the subject: “Important”
Message
From
where is replaced with the current Word user’s name. The body of the message contains the following:
2
The virus then inserts the first 50 users from the Outlook address book, attaches the infected document and sends the message. It does this for however many address books have been defined in Outlook. After sending itself to the people in the address book, the virus then checks to see if it is running on a document or the NormaLdot template. If it is running on a document, it infects the NormaLdot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document worked on as soon as they are closed. If these documents are shared with anyone, the virus spreads. Finally, if the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document: “Twenty-two points, plus tripleword-score, plus fifty points for using ail my letters. Game’s over. I’m outta here.” Several anti-virus vendors have a detection cleaning and capability for Melissa, however, these have to be CICtiVely obtained from the vendors’ Web sites. To protect Word from this and other Word macro viruses, first insure that Word has been patched with the Word 97 Template vulnerability patch (http://www.Microsoft.com/secu rity/bulletins/ms99-002.asp). Also, the normal.dot template file should be password protected and the following Word 97
options should be enabled: l
Confirm conversions
l
Macro virus protection.
l
Prompt to template.
save
at open.
Normal
iflformafion, contact C/AC on tel: + 1 925 422 8 193; fax: + I 925 423 8002; E-mail: ciac@ I/n/.gov.
for further
Melissa’s author caught A 30-year-old New Jersey computer programmer has been charged with launching the Melissa E-mail virus that spread across the world in the last week of March, 1999, infecting millions of computers as far away as China and bringing to a crawl E-mail services on government, education and corporate computer networks. David L. Smith, who, according to authorities, named the virus after a topless dancer in Florida, was arrested at his brother’s house in Eatontown, NJ, USA. The arrest came after an extensive electronic manhunt that took security experts and enforcement officials to an America Online account hijacked from a Washington state engineer; an Orlando, FL, Web site for hackers; a Tennessee Internet service; and, finally, to a personal computer in Smith’s apartment in Aberdeen Township, an hour outside of New York City. Smith, described by New Jersey officials only as ‘a computer with was charged guy”, interfering with public communication, conspiracy and theft of computer service. If convicted, Smith could face as much as $480 000 in fines and 40 years in prison. He was released from Monmouth County jail
0 1999 Elsevier
Science
Ltd
April
7 999
Network SecuriW
Friday morning after posting $100 000 bail. New Jersey Atty. Gen. Peter Vernier0 said a grand jury will hear the case. Computer security specialists and law enforcement officials, first notified of the virus on 26 March launched a multi-pronged attack to track down the culprit. Richard Smith, president of Phar Lap Software, contributed a piece of the puzzle by finding a unique ID number in the virus code that could point to the author of Melissa. Richard Smith recently played a major role in disclosing that Microsoft software imprints an ID number on every document created using its software, a practice criticized as a potential invasion of privacy and since stopped. A Swedish programmer used the ID number to identify the author of the code as someone with the online name VicodenES. At the same time, computer specialists taking apart the Melissa code discovered a tiny message in it thanking “Codebreakers.org”. This turned out to be a Web site hosted by a small Internet service called Global Connection in Kingsport, TN, USA, which was commonly used by virus writers to trade code. Dennis Halsey, vice president of the company, said he had no idea what was being posted on the Codebreakers’ Web site. Global Connection quickly shut down the site. “We hosted the site in total innocence”, he said. “We were kind of in shock when we found out what the site was about.” Some of the code used to write Melissa had apparently been posted on the site by someone with the nickname VicodenES. Similar code had also been posted at a site called Source of Kaos, hosted by an Internet service called Access Orlando in
0 1999 Elsevier
Science
Ltd
Florida. It was a dead end. VicodenES, it turned out, wasn’t the culprit who spread the virus, only the programmer who wrote some of the code, which is not by itself against the law. Separately, investigators, with the help of anti-virus ‘sniffing’ software, tracked the virus back to its first posting from the America Online account of Scott Steinmetz, a Lynnwood, WA, USA, civil engineer who describes himself as a computer illiterate. The hacker, it had hijacked appeared, Steinmetz’s AOL account and was using it to send out E-mail. America Online contacted the New Jersey division of criminal justice’s computer analysis and technology unit. America Online declined to comment, but officials in New Jersey said they were able to use information from AOL to track down Smith’s phone number. Subsequently, the New Jersey State Police and the FBI executed a search warrant on Smith’s apartment, confiscated his computer and, on the basis of what they found, obtained a warrant for Smith’s arrest, Smith worked as a network programmer for a company that subcontracted for AT&T Corp.
be the beginning of a new wave of viruses. “This is clearly the first page in a new chapter on viruses”, said Steve White, an antivirus expert at IBM’s Watson Research Center, noting that viruses that used to take months to spread are now just taking days. “1expect a lot of copycats.” In fact, several copycats are already making the rounds as of this writing; a particularly destructive version, called poppa, is already circulating and others are expected.
Bill Hancock
I LAN/WAN / NEWS HP-UX vulnerabilities
Security experts said that even if this crime is solved, Melissa could
Hewlett-Packard Security Bulletin #00096 reveals that MC/ServiceGuard and MC/LockManager exhibit improper implementation of restricted SAM functionality on HP 9000 Series 700/800 Servers running HP-UX 10.X and 11.OO.The problem allows users to gain increased privileges. There follows a list of available patches:
HP-UX Release
Product
Revision
Patch ID
10.00
MC/SG
A.10.03
PHSS_17478
10.01
MC/SG
A.10.03
PHSS _ 17478
10.10
MC/SG MC/LM
A.10.05
PHSS _ 17479
10.20
MC/SG MC/LM
A.10.06
PHSS_17480
10.20
MC/SG
A, 0.11
PHSS_17580
10.20
MC/LM
A. 0.07.01
PHSS _ 17482
11 .oo
MC/SG
A. 1.05
PHSS_17581
11.00
MC/LM
A. 1.05
PHSS _ 17483
11.00
MC/LM-J
A.1 1.05
PHSS. 17484
1
3
April 7999
“Here is that document you asked for... don’t show anyone else ;-)”
/VIRUS NEWS Melissa spreading widely in USA A new Word 97
virus, W97M.Melissa has been detected at multiple DOE sites in the United States and is known to be spreading widely. This macro virus attaches to Word objects in Word 97 and Word 2000, but not older versions of Microsoft Word. When an infected document is opened the virus checks to see if Word 97 or Word 2000 is installed and then disables the Macro toolbar. It then disables the following Word options: l
Confirm conversions
l
Macro virus protection,
l
Prompt to template.
save
at open.
Normal
Disabling these options makes it difficult to detect the virus in action. Melissa then checks the value of the private registry string: HKEY_CURRENT_USERS\Software\ Microsoft \Office \Melissa? and if that string is not equal to u ,.. by Kwyjibo” the virus sends copies of the infected document to the first 50 people in each Outlook address book and then sets the registry key so it does not do this again. It then sends copies of the infected document to others by opening a connection to Microsoft Outlook and creating an E-mail message with the subject: “Important
Message
From
where
2
The virus then inserts the first 50 users from the Outlook address book, attaches the infected document and sends the message. It does this for however many address books have been defined in Outlook. After sending itself to the people in the address book, the virus then checks to see if it is running on a document or the NormaLdot template. If it is running on a document, it infects the NormaLdot template with a Document_Close macro that runs whenever a document is closed. If it is running on the Normal.dot template, it infects the active document with a Document_Open macro that runs whenever a document is opened. After the Normal.dot template is infected, the virus infects every document worked on as soon as they are closed. If these documents are shared with anyone, the virus spreads. Finally, if the minute of the hour equals the day of the month, the virus inserts the following message at the current location in the active document: “Twenty-two points, plus tripleword-score, plus fifty points for using ail my letters. Game’s over. I’m outta here.” Several anti-virus vendors have a detection cleaning and capability for Melissa, however, these have to be CICtiVely obtained from the vendors’ Web sites. To protect Word from this and other Word macro viruses, first insure that Word has been patched with the Word 97 Template vulnerability patch (http://www.Microsoft.com/secu rity/bulletins/ms99-002.asp). Also, the normal.dot template file should be password protected and the following Word 97
options should be enabled: l
Confirm conversions
l
Macro virus protection.
l
Prompt to template.
save
at open.
Normal
iflformafion, contact C/AC on tel: + 1 925 422 8 193; fax: + I 925 423 8002; E-mail: ciac@ I/n/.gov.
for further
Melissa’s author caught A 30-year-old New Jersey computer programmer has been charged with launching the Melissa E-mail virus that spread across the world in the last week of March, 1999, infecting millions of computers as far away as China and bringing to a crawl E-mail services on government, education and corporate computer networks. David L. Smith, who, according to authorities, named the virus after a topless dancer in Florida, was arrested at his brother’s house in Eatontown, NJ, USA. The arrest came after an extensive electronic manhunt that took security experts and enforcement officials to an America Online account hijacked from a Washington state engineer; an Orlando, FL, Web site for hackers; a Tennessee Internet service; and, finally, to a personal computer in Smith’s apartment in Aberdeen Township, an hour outside of New York City. Smith, described by New Jersey officials only as ‘a computer with was charged guy”, interfering with public communication, conspiracy and theft of computer service. If convicted, Smith could face as much as $480 000 in fines and 40 years in prison. He was released from Monmouth County jail
0 1999 Elsevier
Science
Ltd
April
7 999
Network SecuriW
Friday morning after posting $100 000 bail. New Jersey Atty. Gen. Peter Vernier0 said a grand jury will hear the case. Computer security specialists and law enforcement officials, first notified of the virus on 26 March launched a multi-pronged attack to track down the culprit. Richard Smith, president of Phar Lap Software, contributed a piece of the puzzle by finding a unique ID number in the virus code that could point to the author of Melissa. Richard Smith recently played a major role in disclosing that Microsoft software imprints an ID number on every document created using its software, a practice criticized as a potential invasion of privacy and since stopped. A Swedish programmer used the ID number to identify the author of the code as someone with the online name VicodenES. At the same time, computer specialists taking apart the Melissa code discovered a tiny message in it thanking “Codebreakers.org”. This turned out to be a Web site hosted by a small Internet service called Global Connection in Kingsport, TN, USA, which was commonly used by virus writers to trade code. Dennis Halsey, vice president of the company, said he had no idea what was being posted on the Codebreakers’ Web site. Global Connection quickly shut down the site. “We hosted the site in total innocence”, he said. “We were kind of in shock when we found out what the site was about.” Some of the code used to write Melissa had apparently been posted on the site by someone with the nickname VicodenES. Similar code had also been posted at a site called Source of Kaos, hosted by an Internet service called Access Orlando in
0 1999 Elsevier
Science
Ltd
Florida. It was a dead end. VicodenES, it turned out, wasn’t the culprit who spread the virus, only the programmer who wrote some of the code, which is not by itself against the law. Separately, investigators, with the help of anti-virus ‘sniffing’ software, tracked the virus back to its first posting from the America Online account of Scott Steinmetz, a Lynnwood, WA, USA, civil engineer who describes himself as a computer illiterate. The hacker, it had hijacked appeared, Steinmetz’s AOL account and was using it to send out E-mail. America Online contacted the New Jersey division of criminal justice’s computer analysis and technology unit. America Online declined to comment, but officials in New Jersey said they were able to use information from AOL to track down Smith’s phone number. Subsequently, the New Jersey State Police and the FBI executed a search warrant on Smith’s apartment, confiscated his computer and, on the basis of what they found, obtained a warrant for Smith’s arrest, Smith worked as a network programmer for a company that subcontracted for AT&T Corp.
be the beginning of a new wave of viruses. “This is clearly the first page in a new chapter on viruses”, said Steve White, an antivirus expert at IBM’s Watson Research Center, noting that viruses that used to take months to spread are now just taking days. “1expect a lot of copycats.” In fact, several copycats are already making the rounds as of this writing; a particularly destructive version, called poppa, is already circulating and others are expected.
Bill Hancock
I LAN/WAN / NEWS HP-UX vulnerabilities
Security experts said that even if this crime is solved, Melissa could
Hewlett-Packard Security Bulletin #00096 reveals that MC/ServiceGuard and MC/LockManager exhibit improper implementation of restricted SAM functionality on HP 9000 Series 700/800 Servers running HP-UX 10.X and 11.OO.The problem allows users to gain increased privileges. There follows a list of available patches:
HP-UX Release
Product
Revision
Patch ID
10.00
MC/SG
A.10.03
PHSS_17478
10.01
MC/SG
A.10.03
PHSS _ 17478
10.10
MC/SG MC/LM
A.10.05
PHSS _ 17479
10.20
MC/SG MC/LM
A.10.06
PHSS_17480
10.20
MC/SG
A, 0.11
PHSS_17580
10.20
MC/LM
A. 0.07.01
PHSS _ 17482
11 .oo
MC/SG
A. 1.05
PHSS_17581
11.00
MC/LM
A. 1.05
PHSS _ 17483
11.00
MC/LM-J
A.1 1.05
PHSS. 17484
1
3