Scribd Logo
Upload

Welcome to Scribd!

  • Lab 4 Report

    Uploaded by

    Zaynab Sada
    44 views6 pages
    This document describes experiments conducted on the Melissa virus in Microsoft Excel. The Melissa virus was originally spread through email attachments in 1999. It would infect Microsoft Word documents and email copies to 50 addresses in the victim's address book. Variants could delete or destroy Excel documents. The experiments observed how Melissa invokes itself by opening Outlook when an infected document is opened, captures the user's email profile to send copies, and checks the Windows registry to avoid re-infecting computers.

    Original Description:

    Melissa Virus

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes experiments conducted on the Melissa virus in Microsoft Excel. The Melissa virus was originally spread through email attachments in 1999. It would infect Microsoft Word documents and email copies to 50 addresses in the victim's address book. Variants could delete or destroy Excel documents. The experiments observed how Melissa invokes itself by opening Outlook when an infected document is opened, captures the user's email profile to send copies, and checks the Windows registry to avoid re-infecting computers.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    44 views6 pages

    Lab 4 Report

    Uploaded by

    Zaynab Sada
    This document describes experiments conducted on the Melissa virus in Microsoft Excel. The Melissa virus was originally spread through email attachments in 1999. It would infect Microsoft Word documents and email copies to 50 addresses in the victim's address book. Variants could delete or destroy Excel documents. The experiments observed how Melissa invokes itself by opening Outlook when an infected document is opened, captures the user's email profile to send copies, and checks the Windows registry to avoid re-infecting computers.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    LAB PROJECT IV

    Submitted to:
    Mr. Armin Mehri
    By
    Zainab Sada - 149190
    Yakubu Abdulrazak - 138859
    Oyinbobola Shalom Owojori - 128236
    CMSE 353 Security Of Software Systems
    Instructor: Assoc. Prof. Dr. ALEXANDER G. CHEFRANOV
    in
    Faculty of Engineering
    Department of Computer Engineering
    Eastern Mediterranean University

    OUTLINE
    I.
    II.
    III.

    Problem Definition
    Introduction
    Experiments
    (a) How It Is Invoked
    (b) How It Disables Security
    (c) How It Checks And Marks That The Victim Computer Is
    Infected

    I. PROBLEM DEFINITION
    This report is about the Melissa virus in context of MS Excel. We are to run the
    virus and observe and explain what it does and how it works.

    II. INTRODUCTION
    The Melissa virus is a macro virus that was spread through email attachments in
    1999. It was originally contained within a Microsoft Word file that, once opened, emailed
    the virus to 50 addresses within the victims address book. Although the original Melissa
    had no malicious payload, variants soon appeared that could delete or destroy Microsoft
    Excel documents. The Melissa virus may also be known as Mailissa, Simpsons, Kwyjibo
    or Kwejeebo.
    The original Melissa increased the overall burden on email servers every time it
    infected a new user and eventually resulted in server overload, turning Melissa into a
    denial of service (DOS) attack. Most of the damages associated with Melissa were the
    result of lost productivity while email servers were down.

    III. EXPERIMENTS
    (a) How It Is Invoked

    It opens the Outlook mail program when an infected document is opened.


    It captures and uses the infected user profile, through calls to MAPI.
    It creates an e-mail message with the following characteristics:
    Subject:
    Important Message From "senders name"
    Message:
    Here is that document you asked for ... don't show anyone else ;-)
    Attachments: a file with a DOC extension.
    The recipients of this message are the first fifty addresses that Melissa finds in
    the Outlook Address Book.

    CODE: OnErrorResumeNext
    Tells the computer to ignore errors caused by the Melissa virus

    (b) How It Disables Security


    When a user opens an infected document, the virus will attempt to e-mail a copy
    of this document to up to 50 other people, using Microsoft Outlook. It infects a
    MS Word 97 and MS Word 2000 document by adding a new VBA5 (macro)
    module named Melissa. Although there is nothing unique in the infection routine
    of this macro virus, it has a payload that utilizes MS Outlook to send an
    attachment of the infected document being opened.

    It goes memory resident.

    It disables the Word antivirus protection for documents with macros.


    As a result, Word does not ask the users confirmation to enable or disable
    macros included in documents, when these are opened.

    It prevents users from working with macros, both in Word 97 and Word 2000.
    In Word 97, it disables the Macro option in the Tools menu.
    In Word 200, it disables the Macro option in the Tools menu.

    It sends itself out to the first fifty addresses found in the Outlook Address
    Book.

    It infects Word 97 and Word 2000 documents as well as global template.

    For Word 2000:


    CODE:
    Then
    CommandBars("Macro").Controls("Security...").Enabled=
    FalseSystem.PrivateProfileString("",
    "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\S
    ecurity","Level")=1&
    Disables access to Marco security controls
    Sets security setting to the lowest level
    For Word 97:

    CODE:
    Else
    CommandBars("Tools").Controls("Macro").Enabled=False
    Options.ConfirmConversions=(11):
    Options.VirusProtection=(11):
    Options.SaveNormalPrompt=(11)
    Disables access to Marco security controls
    Turns off virus protection and other warning.

    (c) How It Checks And Marks That The Victim Computer Is Infected
    When an infected document is opened, Melissa checks if the Microsoft
    Office registry key has a subdirectory named "Melissa?" exists with "... by
    Kwyjibo" set as its value. If the value has been set, the virus will not perform the
    mailing routine. If the value is not set, the virus mails itself to fifty addresses in
    the user's Address Book.
    If the computer was never infected:
    Gets the first 50 e-mail addresses from every list in Outlook
    Attaches current (infected) document to e-mail
    Sends e-mail
    Then sets Melissa installed flag in the Windows registry
    If the computer was already infected:
    If the current document or default template used for setting up Word document is
    not yet infected, it is then marked for infection
    Template is marked for infection
    Melissa infects the Normal.dot template, which is used by default in all
    Word documents. This gives the virus the ability to infect and send other
    documents than just the porn site list, potentially leaking sensitive information.
    Users can also unknowingly spread the virus when other documents become
    infected and they send them to another computer. If any document is opened or a
    new document is created, that document will be infected.
    Virus is copied line by line into the Document_Close macro of template
    Document is marked for infection Virus is copied line by line into
    Document_Open macro of the document

    You might also like