Security Information

Security Information  Week 13, 1999

Friday 26 March 1999 a new virus was discovered "In the wild" - W97M/Melissa.A. During that week-end reports came from all over the world about networks and mail servers affected. The problems this virus caused on the Internet in general and e-mail servers in particular, made many compare it to the famous "Morris Worm" in 1988.

In the beginning of week 13 1999 several new macro viruses based on abusing TCP/IP appeared. As of 31 March there were seven macro viruses abusing TCP/IP to replicate or to shut down servers. The viruses which use TCP/IP to send out infected documents are only doing that if Outlook (not Outlook Express) is installed, and a TCP/IP connection is available.

  1. W97M/Melissa.A
  2. W97M/Melissa.B
  3. W97M/Ping.A
  4. W97M/Syndicate.A
  5. W97M/Zerg.A
  6. X97M/Papa.A
  7. X97M/Papa.B

Below is brief descriptions of some of the characteristics:

W97M/Melissa.A

See separate web page for more information about this most famous variant.

W97M/Melissa.B

Initially spread in a file called "Warning7.Doc" on "Alt.Sex.Animals". The virus is an intended modified version of W97M/Melissa.A. However, several commands have been remarked out and identifiers have been changed, making it intended. The virus will not disable the macro protection as in the A-variant. The virus will send a copy to the user loading the document, so the user will receive a copy of the infected document in his own mailbox with the subject "Trust No One" and the body text "Be careful what you open. It could be a virus". It will do this only once if the registry key

HKEY_CURRENT_USER\Software\   Microsoft\Office\MelissasLittleSister

does not equals "Kwyjibo". It will set this key after sending an infected document to the user opening the document. This virus will not spread through conventional techniques like W97M/Melissa.A as some parts are commented out on purpose. The comments read "We don’t want to actually infect the PC, just warn them". However, every time a user opens this document, this text will be inserted at the current cursor position:

"This could have had disasterous results. Be more careful next tiem you open an e-mail. Protect yourself! Find out how at these web sites:

http://www.eos.ncsu.edu/eos/info/computer_ethics/www/abuse/wvt/worm/ http://www.nipc.gov/nipc/w97melissa.htm http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html http://www.microsoft.com/security/bulletins/ms99-002.asp http://www.infoworld.com/cgi-bin/displayStory.pl?990326.wcvirus.htm"

W97M/Ping.A

Initially spread in a file called "Passwe~1.Rtf" on "Alt.Sex.Anal". The virus is activated every time a document is opened. This virus does not spread using TCP/IP but through conventional techniques. As a payload however, the payload which will be executed every time an infected document is opened, it will start hidden tasks which all ping four pornographic/racial Internet sites. These four sites are:

  • innocentangels.com
  • whitesonly.net
  • kkk.com
  • daddysgirl.com

The pinging will be repeated until interrupted. As the buffer size for the pinging is set to send 5000 bytes, the responding Internet site will crash when a lot of systems start to ping due to this virus payload.

W97M/Syndicate.A

Initially spread in a file called "Serialz.Doc" on "Alt.Binaries.Warez". Besides replicating through conventional techniques, it will spread using TCP/IP the first time an infected document is introduced into the system. If the registry key

HKEY_CURRENT_USER\Software\   Microsoft\Office\P1

does not equal "Syndicate", the virus will send the infected document to the first 70 entries in the AddressBook. There will only be one message with 70 receivers as it sets the abovementioned registry key after its payload.

The subject of the message is "Fun and games from <UserName>" and the body of the text is "Hi! Check out this neat doc I found on the Internet!"

W97M/Zerg.A

This virus spreads through conventional ways, but not through TCP/IP. By copying parts from Melissa and changing them, the author made it non-operable.

X97M/Papa.A

Initially spread in a file called "Pass.Xls" on "Alt.Sex.Stories". This virus is intended due to a missing instruction, resulting in a genuine basic Syntax Error. The author fixed this problem and posted that one as well (see X97M/Papa.B).

X97M/Papa.B

Initially spread in a file called "Cracked.Xls" on "Alt.Sex.Incest". This virus is the working variant of intended X97M/Papa.A virus. This virus is only repliacting itself through TCP/IP. Therefore, it is rather harmless on systems that do not have Outlook installed. It will send out the infected spreadsheet to the first 60 entries in the AddressBook. All of the 60 messages will have the subject "Fwd: Workbook from all.net and Fred Cohen" and a body text "Urgent info inside. Disregard macro warning." There is no check if this has been done once already, so every infected spreadsheet that is loaded will be send around.

(An updated version of this document after week 13 1999, may be seen here.)

Per Olav Førland