next message in archive
no next message in thread
previous message in archive
Index of Subjects
This is a multi-part message in MIME format.
--------------7D8DF3423098CC6C22FF83CD
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--
Michael W. Posluns,
The StillWaters Group,
First Nations Relations & Public Policy.
Please note new address: mposluns@accglobal.net
Phone 416 656-8613
Fax 416 656-2715
36 Lauder Avenue,
Toronto, Ontario,
M6H 3E3.
We offer Canadian parliamentary debates by topics and bills.
--------------7D8DF3423098CC6C22FF83CD
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Return-path: <owner-fes_phd@YORKU.CA>
Envelope-to: MPosluns@ACCGLOBAL.NET
Delivery-date: Mon, 29 Mar 1999 09:29:17 -0500
Received: from sundial.ccs.yorku.ca ([130.63.236.117])
by mail1.tor.accglobal.net with esmtp (Exim 2.11 #1)
id 10Rd2S-00016w-01
for MPosluns@ACCGLOBAL.NET; Mon, 29 Mar 1999 09:29:16 -0500
Received: from sundial.ccs.yorku.ca (IrR/XFH5sM4HcqdAY0h/v8ESsHFE4vj9@sundial.ccs.yorku.ca [130.63.236.117]) by sundial.ccs.yorku.ca (8.8.8/8.8.5) with ESMTP id JAA18976; Mon, 29 Mar 1999 09:29:41 -0500 (EST)
Received: from YORKU.CA by YORKU.CA (LISTSERV-TCP/IP release 1.8d) with spool
id 767376 for FES_PHD@YORKU.CA; Mon, 29 Mar 1999 09:29:39 -0500
Received: from sungod.ccs.yorku.ca
(NhGNMVEOQuQHtl//QbemM0Ybwc+ZYbvD@sungod.ccs.yorku.ca
[130.63.236.104]) by sundial.ccs.yorku.ca (8.8.8/8.8.5) with ESMTP id
JAA18930 for <fes_phd@sundial.ccs.yorku.ca>; Mon, 29 Mar 1999
09:29:26 -0500 (EST)
Received: from admin25.fes.yorku.ca (admin25.fes.yorku.ca [130.63.239.160]) by
sungod.ccs.yorku.ca (8.8.7/8.6.11) with SMTP id JAA13434; Mon, 29 Mar
1999 09:29:24 -0500 (EST)
X-X-Sender: rgeater@postoffice.yorku.ca
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.WNT.3.96.990329092032.-4132079D-100000@admin25.fes.yorku.ca>
Date: Mon, 29 Mar 1999 09:29:22 -0500
Reply-To: Rick Geater <rgeater@YorkU.CA>
Sender: FES PHD programme distribution list <FES_PHD@YorkU.CA>
From: Rick Geater <rgeater@YorkU.CA>
Subject: VIRUS ALLERT: If you use MS Outlook and Word,
you will want to read it.
Comments: To: fes_bes@YorkU.CA, fes_mes@YorkU.CA
To: FES_PHD@YorkU.CA
If you use MS products, specifically MS Outlook and/or MS Word, you should
read the following. Please do not respond to this e-mail. For more
information on Macro viruses, please visit the MS web site
(www.microsoft.com).
___________________________________________
Rick Geater Computer Services
Environmental Studies 416-736-2100
York University ext. 33008
rgeater@yorku.ca
> Virus Alert! This one is real folks. Please read on.
>
> It appears that there is a somewhat annoying virus floating around by
> the name of Melissa. If you receive a message with the subject line:
> "Important message from <username>" (the username is taken from MS
> Word settings - so it may not be someone you recognize, or it may even
> be staff). What this means to staff is that if any one of us gets the
> message, it is likely that others could get the virus. So, to keep it
> simple, delete ANY message with the subject line noted above.
> Below are the details of the virus (from Symantec.com):
>
>
> VirusName: W97M.Mailissa
> Aliases: W97M.Melissa
> Infection Length: one VBA5 module named Melissa
> Area of Infection: Microsoft Word 97 documents
> Likelihood: Common
> Region Reported: US
> Characteristics: Macro, Wild
>
> <<...>>
> Description:
> W97M.Mailissa (also known as W97M.Melissa) is a typical macro virus
> which has an unusual payload. When a user opens an infected document,
> the virus will attempt to e-mail a copy of this document to up to 50
> other people, using Microsoft Outlook.
> Similar to W97M.Pri, the virus turns off the security protection upon
> opening an infected document in MS Word 2000. This disables MS Word
> 2000 macro prompt the next time the document is opened.
> It infects a MS Word 97 and MS Word 2000 document by adding a new VBA5
> (macro) module named Melissa. Although there is nothing unique in the
> infection routine of this macro virus, it has a payload that utilizes
> MS Outlook to send an attachment of the infected document being
> opened.
> Payload
> As its primary payload, the virus will attempt to use Microsoft
> Outlook to e-mail a copy of the infected document to up to 50 other
> people. When a user opens or closes an infected document, the virus
> first checks to see if it has done this mass e-mailing once before, by
> checking the following registry key:
> "HKEY_CURRENT_USER\Software\Microsoft\Office\" as "Melissa?" value.
> If this key has a value "Melissa?" set to the value "...by Kwyjibo",
> then the mass e-mailing has been done previously from the current
> machine. The virus will not attempt to do the mass mailing a second
> time, if it has already been done from this machine.
> If it does not find the registry entry, the virus does the following:
> Open MS Outlook.
> Using MAPI calls, it gets the user profile to use MS Outlook.
> It creates a new e-mail message to be sent to up to 50 addresses
> listed in the user's MS Outlook address book.
> It gives the email message a subject line:
> "Important Message From USERNAME",
> where USERNAME is taken from MS Word setting.
> The body of the email message is:
> "Here is that document you asked for ... don't show anyone else
> ;-)"
> It attaches the active document (the infected document being
> opened or closed) to the email message.
> It sends the e-mails.
> Please note that "HKEY_CURRENT_USER\Software\Microsoft\Office" is a
> registry entry created by MS Office. The virus simply adds the new
> value "Melissa?" into this registry entry. This value is set to "...by
> Kwyjibo" if the virus has previously e-mailed an infected document
> from the system. Once the value is set, the virus will not attempt
> another mass mailing from the same machine.
> There is a second payload which triggers once an hour, at the number
> of minutes past the hour corresponding to the date (i.e., on the 16th
> of the month, the payload triggers at 16 minutes after every hour). If
> an infected document is opened or closed at the appropriate minute,
> this payload will insert the following sentence into the document:
> " Twenty-two points, plus triple-word-score, plus fifty points
> for using all my letters. Game's over. I'm outta here."
> Note that the virus will also infect other documents on the user's
> machine, using the normal infection mechanisms of macro viruses, even
> if the user does not have MS Outlook. So, it is potentially possible
> for a new document from any user's machine to be e-mailed to other
> people through the following steps:
> User opens Document 1 containing Melissa infection.
> Melissa also infects a new Document 2 on the user's machine
> (even if the user does not have MS Outlook).
> User e-mails Document 2 to another person who has not previously
> been infected by Melissa and who does have MS Outlook.
> When that second person opens the infected Document 2 on their
> machine, the document will be e-mailed to 50 people via MS Outlook.
> Hiding its activity:
> Similar to most macro viruses, this macro virus tries to hide its
> activity by disabling the following menu items:
> * Tools-Macro in MS Word 97
> By disabling this menu command, the virus prevents any user from
> listing the macro / VBA module in MS Word 97 to manually check for
> infection.
>
> * Macro-Security in MS Word 2000
> By disabling this menu command, it prevents the user from changing the
> security level in MS Word 2000.
> To hide its infection activity, it also disables the following options
> in MS Word 97:
> * Prompt to save Normal template
> * Confirm conversion at Open
> * Macro virus protection
> With these options disabled, MS Word 97 does not warn or prompt while
> saving the NORMAL.DOT or while opening a document with macros in it.
> Repair Notes:
>
> Dave Astolfo, Systems Analyst, Ontario Good Roads Association
> Providing Ontario's Municipalities with services & representation on
> transportation issues.
> www.ogra.org www.RoadAuthority.com
>
>
>
--------------7D8DF3423098CC6C22FF83CD--
next message in archive
no next message in thread
previous message in archive
Index of Subjects