The Melissa virus was a wake-up call to everyone in the email world. The virus appeared on Friday, March 26, as the payload in a message that could replicate itself and infect other servers. Melissa spread rapidly around the planet; similar viruses such as Papa soon followed Melissa. Microsoft and other large companies with major deployments of Exchange, including Compaq, had to stop Internet connectivity until they disinfected their servers. Full details of the attack are available at http://www.cert.org/advisories/ CA-99-04-Melissa-Macro-Virus.html.
VBA Code at the Heart of the Attack
These viruses use Visual Basic for Applications (VBA) code contained in a Word or Excel document. The code interrogates Messaging API (MAPI) address lists (such as the Exchange Server Global Address List—GAL) and extracts a number of addresses and sends them messages containing the payload. Melissa sends messages to 50 addresses taken from the GAL; Papa sends to 60 addresses.
Melissa's code is simple, but it does a lot of damage. First, it performs a query to find all the address lists available to the client. Then, it queries each address list and creates a message for the first 50 names that it retrieves. The message subject is Important Message From xxx (where xxx is the display name of the name the code has taken from the address list), and the message body contains one line of text and the infected Word document that contains the payload.
The code applies no test to determine who will receive messages. Addresses at the top of an address book are prime candidates for infection; addresses at the end will probably escape. If you use a naming scheme that keeps distribution lists (DLs) at the top of the GAL, the code is more dangerous because the virus can infect more users. The danger exists that future iterations of similar viruses will apply filters in the code used to retrieve addresses. For example, viruses might specifically target DLs or search for mailboxes belonging to people with titles such as president, CEO, or vice president.
To defend your Exchange servers from this type of attack, you can load a set of dummy custom recipient entries into the GAL (a simple Comma Separated Value—CSV—load file is sufficient for this purpose). The dummy entries can have invalid addresses or redirect all messages sent to the address to a mailbox or public folder that only the systems administrator can access. However, this tactic might confuse users, who might address real messages to the dummy addresses. Because the virus scans through all the containers in the address book, you need to add dummy recipients to each container.
Luring Users to Infected Files
Users naturally open any message with a subject that appears important, and curiosity is enough to make them complete the task by opening the infected document. The Melissa virus lures people to open the document by including the text Here's the important document you asked for... don't show it to anyone else ;-). As soon as the user opens the infected document, the macro code lowers the security settings for Word to let macros run automatically when users open future documents. In other words, Word won't ask users whether they want to run macros—the code just executes! The macro then checks the HKEY_CURRENT_USER\ Software\Microsoft\Office\ Melissa? Registry key. If the key doesn't exist or doesn't contain a value of ... by Kwyjibo, Word executes the VBA code, which sends 50 messages. As a side effect, the virus infects the Word default template (normal.dot) and, therefore, any Word document that the user subsequently opens or creates. To ensure that the VBA code executes, the Papa virus instructs users not to disable the macros in the Excel attachment when they see the prompt after they open the worksheet.
Users who know about these viruses can delete suspect messages as soon as they appear in their inbox—the viruses can't infect systems unless Word launches the payload attachment. Because VBA is the virus' key component, the code is useless if your PC doesn't have a program that supports VBA (e.g., Office 95). Even if your machine has VBA, you need a MAPI client to execute the commands that access and extract entries from the address list and then send the messages. Outlook and the Exchange client all support the MAPI calls. Clients such as Eudora don't. The attack isn't aimed at Microsoft, but it does an excellent job of leveraging Microsoft Office and MAPI de facto desktop standards to achieve maximum disruption.
The current generation of these viruses isn't particularly destructive because they don't delete documents or other data. However, they swamp email networks and can cause servers to stop while you disinfect the Information Store (IS). Microsoft has posted a program to scan an Exchange server and remove any instances of infected messages from mailboxes. You can download the melissa-virus/ file from ftp://ftp.microsoft.com/transfer/outgoing/bussys/mail.
Protection Through Detection
A virus checker provides superior protection and is the recommended course of action. All major virus-checker vendors have updated their products to detect and eliminate the known variants of these viruses, and some companies have posted specific scanners you can use. For example, you can get a free copy of Trend Micro's HouseCall for Exchange from http://www.antivirus.com. Table 1 lists other suitable virus checkers.
Most vendors make 30-day test versions available for download from their Web site so you can test products before you buy. Tests reveal how products work and how suitable they are for your environment. They also reveal potential problems. For example, Norton AntiVirus for Exchange 1.5 surprisingly stores the password for the administration account in the Registry at HKEY_LOCAL_MACHINE\ SOFTWARE\Symantec\NAVMSE\1.5\ ModifyPassword. Because you need to secure the Registry against intruders, this behavior is a potential security flaw that Norton needs to address in a future release of the product.
For all virus checkers, you must download updated pattern files frequently. Pattern files contain details of the signatures or definitions that let checkers recognize viruses. The speed with which new viruses can appear and propagate means that you can defend your system only if you have loaded the latest pattern files.
To achieve maximum protection, you must carry out virus checking at several levels within a messaging system. Ordinary PC virus checkers might not catch these viruses, and updating all the PCs in an organization with a new virus pattern quickly is difficult. You can also perform virus checking at the backbone, but this action doesn't protect viruses that creep in through disk swapping. (For more information about selecting a virus checker, see "Exchange Server and Virus Checkers," January 1999.) If you don't have a copy of a virus checker that supports Exchange Server, buy one now. The next set of email viruses might not be so benign.
Lessons Learned
Melissa did some good. The virus gave anyone who wasn't running a virus checker a wake-up call and forced those who had a virus checker to update their pattern files. More important, the virus illustrated the inherent danger that comes from dependency on an integrated suite such as Office. The virus used one Office component (i.e., Word) to exploit the fact that VBA code could use Outlook to dispatch infected messages. Melissa's effect could have been much worse. Imagine if the VBA code had searched for documents marked Important or Confidential, attached them to messages, and mailed out the messages to your competitors or posted them to an Internet mailing list.
Melissa further proved the need to educate users. Most users are unaware that the documents they open can execute code that can have far-reaching effects. I suspect the number of companies that instruct their users about email viruses will increase dramatically.
