[Fwd: BCPL.NET SYSTEM NEWS] (fwd)

< < < Date > > > | < < < Thread > > >
[Fwd: BCPL.NET SYSTEM NEWS] (fwd)

by Peter Grimes

29 March 1999 21:06 UTC

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--------------978803D6C3B0C88E621A3AD8



---------- Forwarded message ----------
Date: Mon, 29 Mar 1999 07:56:47 -0500
From: Barbara Larcom <larcom@bcpl.net>
To: Peter G <p34d3611@jhu.edu>
Subject: [Fwd: BCPL.NET SYSTEM NEWS]

 

--------------978803D6C3B0C88E621A3AD8

Date: Sun, 28 Mar 1999 14:43:23 -0500 (EST)
From: "BCPL.NET SysAdmin" <ispadmin@bcpl.net>
To: larcom@mail.bcpl.net
Subject: BCPL.NET SYSTEM NEWS
X-Organization: BCPL.NET Internet Services

--------------------------
W97M/MELISSA VIRUS WARNING
--------------------------
Most warnings about viruses that spread via e-mail are hoaxes.  This one,
however, is not.  We are bringing it to your attention because it poses a
threat to the BCPL.NET mail server as well as to your personal PC.  The
following information is compiled from a number of reputable sources and
is believed to be accurate.  Sorry about the extreme length, but there is
no way to describe this in fewer words.

W97M/Melissa is a Word 97 Class Module Macro virus that can also activate
under Word 2000. It was discovered on Friday, March 26, and is known to be
spreading extremely rapidly.  Because of the way it spreads (via e-mail)
and the extreme speed with which it is spreading, it is swamping mail
servers all over the Internet by filling up their hard disks and
monopolizing all their available processor time.  A number of mail servers
are known to have crashed as a direct result.

W97M/Melissa depends on the presense of Microsoft Outlook in order to
spread from an infected computer, and Outlook is used primarily by
business users on corporate networks, so the greatest impact is expected
to be felt after the start of business on Monday, March 29.  It is not
unreasonable to expect e-mail delivery delays because of the extra load
this will place on mail servers all over the Internet.

Identifying W97M/Melissa
------------------------
W97M/Melissa spreads in the form of an e-mail file attachment usually
(but not always) named "List.DOC".  The message bearing the attachment
always has the following identifying characteristics:

  From:          (probably someone you know)
  To:            (50 names from the sender's Outlook Address Book)
  Subject:       Important Message From (name of sender)
  Message Text:
  Here is that document you asked for ... don't show anyone else ;-)

The sender will probably be someone you know, but this DOES NOT mean
he/she sent it to you intentionally.  Chances are, he/she knows nothing
about it.  W97M/Melissa spreads itself automatically from infected PCs
without the sender's knowledge.

If you receive e-mail with a Subject line containing "Important Message
From...", and if the message includes a file attachment, DO NOT open the
attachment.  DO NOT send it to anyone else.  Delete the message and the
attachment immediately.

All publishers of virus detection software are providing updates to detect
and eradicate W97M/Melissa.  Check with the publisher of your virus
detection software for details.

How W97M/Melissa Works
----------------------
When the infected Word document is opened, the virus checks for a setting
in the Windows Registry that tests whether the system has already been
infected. If the system has not already been infected, the virus creates
the following entry in the Registry:

 HKEY_CURRENT_USER\Software\Microsoft\Office\"Melissa?"="... by Kwyjibo"

If this key already exists the email redistribution process will not
execute, but the virus will still infect any Word files opened
subsequently.

Note:  As a preventive measure you can create this registry key to prevent
the virus from launching. However we recommended this ONLY if you are
familiar with the inner workings of the Windows Registry and are
comfortable modifying it.  BCPL.NET will not be responsible for damage you
do by mucking about in the Registry!

Once your computer has become infected, the following will happen:

1. Every Word document you open will become infected by W97M/Melissa.

2. If an infected document is opened when the day and the minute are
   the same numeric value (i.e. March 30 at 10:30) the following text
   is inserted into the document at the current cursor position:

   "Twenty-two points, plus triple-word-score, plus fifty points for
   using all my letters. Game's over. I'm outta here."

3. If you have Microsoft Outlook, the virus creates an Outlook object
   using Visual Basic and reads the list of members from your Outlook
   Address Books. An email message is created and sent to the first 50
   addresses in each of your address books, one at a time.  The "From:"
   address, "Subject:", and message text are as described earlier.

   The active infected Word document is attached and the email is sent.
   The most prevalent document being seen is one called List.DOC, however
   this is NOT the only document that can be sent or received.  Any
   infected Word document that is open at the time can be sent.

4. If you have Word 97, the "TOOLS/MACRO" menu option is disabled to
   prevent Word from detecting Macro virus activity.

5. If you have Office 2000, the virus checks for low security in Office
   by checking for a value in the the registry.  If the value
   HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\"Level"
   is not null, the virus will disable the "MACRO/SECURITY" menu option
   to prevent Word from detecting Macro virus activity.

Macintosh Users
---------------
It is unclear at present what effect, if any, W97M/Melissa has on a
Macintosh. W97M/Melissa depends to a great extent on Windows Registry
settings which are not applicable to the Mac.  However, it is still
possible that W97M/Melissa may infect your Word documents and that you may
inadvertently spread the virus by sending infected documents as file
attachments.  We therefore recommend that you treat potentially infected
e-mail exactly as recommended above for PC users.

--------------------------------------------------------------------
PLEASE DO NOT REPLY TO THIS MESSAGE!  Contact the BCPL.NET Help Desk
if you have questions about the contents. 

BCPL.NET INTERNET SERVICES CONTACTS:
-----------------------------------
Administration & Policy:           ispadmin@bcpl.net    410-887-6180
Sales, Renewals, Account Status:   accounts@bcpl.net    410-887-4172
Technical Support (Help Desk):     help@bcpl.net        410-887-3297
Usenet News Newsgroup Requests     news-admin@bcpl.net  410-887-6180
E-Mail & Newsgroup Abuse Reports:  abuse@bcpl.net       410-887-6180
FAX:                                                    410-887-2091
Help Pages:            http://www.bcpl.net/help.html
                       (or enter "help" at the UNIX shell prompt)
System News Archives:  http://www.bcpl.net/sysnews.html
                       (or enter "sysnews" at the UNIX shell prompt)




--------------978803D6C3B0C88E621A3AD8--
< < < Date > > > | < < < Thread > > > | Home