Description

The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most fre- quently been reported to contain the following Subject header

Subject: Important Message From <name>

Where <name> is the full name of the user sending the message.

The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text:

Here is that document you asked for ... don’t show anyone else ;-)

The next section (Content-Type: application/msword) was initially reported to be a document called “list.doc”. This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim.

When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled.

Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future.

CHAPTER 9 THE $80 MILLION LAP DANCE… 147

The macro then checks to see if the registry key

“HKEY_Current_User\Software\Microsoft\Office\Melissa?”

has a value of “... by Kwyjibo”. If that registry key does not exist or does not have a value of “... by Kwyjibo”, the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message.

This virus can not send mail on systems running MacOS; however, the virus can be stored on MacOS.

Next, the macro virus sets the value of the registry key to “... by Kwyjibo”. Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document.

The macro then infects the Normal.dot template file. By default, all Word docu- ments utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in tem- plates the virus may execute without warning. For more information please see: http://www.microsoft.com/security/bulletins/ms99-002.asp

Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message “Twenty-two points, plus triple- word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.” Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA ( Visual Basic for Applications) code associated with the “doc- ument.open” method. You can see the code by going into the Visual Basic editor. If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not necessarily targeting you. We encourage you to contact any users from which you have received such a

message. Also, we are interested in understanding the scope of this activity; there- fore, we would appreciate if you would report any instance of this activity to us according to our Incident Reporting Guidelines document available at:

http://www.cert.org/tech_tips/incident_reporting.html II. Impact

■ Users who open an infected document in Word97 or Word2000 with macros

enabled will infect the Normal.dot template causing any documents referenc- ing this template to be infected with this macro virus. If the infected document is opened by another user, the document, including the macro virus, will prop- agate. Note that this could cause the user’s document to be propagated instead of the original document, and thereby leak sensitive information.

■ Indirectly, this virus could cause a denial of service on mail servers. Many

large sites have reported performance problems with their mail servers as a result of the propagation of this virus.

“My Baby, She Wrote Me a Letter…”

Written in VBScript, the Love Letter worm propagates in a variety of ways, including sending copies of itself to everyone in your Microsoft Outlook address book, over- writing certain file types (e.g., .jpeg and mp2) so that it executes when you double- click those files, and even exploiting IRC chats to infect other participants.

In its original “Love Letter Worm” advisory (CA-2000-04), released on Thursday, May 4, 2000, CERT reported more than 250 individual sites and more than 300,000 indi- vidual systems had been affected. Several sites had suffered “considerable network degradation as a result of the mail, file and Web traffic generated by the malicious pro- gram.”

Spreading westward from the Philippines, Love Letter did an estimated $10 billion in damages. Eighty percent of U.S. Federal Government agencies were infected. Thirty percent of British e-mail systems were infected. Seventy percent of German systems were infected. Eighty percent of all Swedish systems were infected.

Even ATM systems in Belgium were shut down.

According to initial news reports on May 4, Vodafone AirTouch, Time Warner, Seagram, Silicon Graphics, the British House of Commons, the U.S. Department of Defense, the Federal Reserve, Cox Cable, DaimlerChrysler, the Motion Picture

Association of America (MPAA), the Buenos Aires newspaper La Nacion, and the

Colombian Finance Ministry were among the many large or prominent organizations hit hard.

Some industry analysts estimated that 43 million users were infected within the first 24 hours and that 1.9 million of them opened the attachment to release the worm. In subsequent reports, on Friday May 5, Ford Motor Company acknowledged that 125,000 of its e-mail users worldwide had been affected. Nextel—like Vodafone, a wireless phone company—shut down e-mail for all its 13,000 employees.

Other organizations mentioned on the second day of the crisis included AT&T, Merrill Lynch, Delta Air Lines, Northwest Airlines, National Public Radio, Lucent, the

Philadelphia Inquirer, the U.S. Department of Transportation, and the Florida State

Lottery.

On Saturday May 6, the third day of the crisis, New Zealand Telecom’s Xtra Internet service deleted 17,000 messages containing the Love Letter.

Clearly, many organizations did not learn the lessons of the Melissa outbreak. Organizations that did learn the lessons had filters (i.e., they blocked all messages with the subject line “I Love You”) in place within 15 minutes. They had updated DAT files from the anti-virus vendors within one hour. Their user populations could not even pick up their phones without hearing about what was expected of them in the crisis. These organizations were ready because those responsible were prepared, vig- ilant, and empowered.

I placed a call to Padgett Peterson of Lockheed Martin (Orlando, Florida). After all, Padgett had been, like John the Baptist, a voice in the wilderness, warning of such attacks both before and after Melissa.

Peterson lays much of the blame on Microsoft’s door.

“Move the clock back to March 1998,” he begins. “Do you remember what I was talk- ing about? I said that we were in a lull. I said that VB scripting, particularly Microsoft’s inclusion of ‘create object to get object’ was going to be a problem. No one knew what I was talking about. Well, guess what ‘I Love You’ used?

“If Microsoft were split up so that you had Office on one side and the Windows OS on the other side,” he continues, “there would have to be open publishing of the standards used to communicate between the two. People wouldn’t be surprised when I said things like, ‘Common Data Objects (CDO) is going to hurt us.’ All these vulnerabilities would be open for examination.”

Meanwhile, unlike the Melissa manhunt or some of the other cases documented in

Tangled Web, the investigation soon fell apart.

On May 6, Reuters reported that Philippine police were awaiting a judge’s warrant to arrest a man suspected of creating the Love Letter worm. The suspect was described to the press as a “23-year-old man living in Pandacan, a crowded suburb of Manila.” “Our operatives are out in the field for surveillance,” Nelson Bartoleme, head of the National Bureau of Investigation’s (NBI) anti-fraud and computer crimes division told

the wire service. “Gosh darn it, we’re ready to go. We just have to find a judge.”

Are you following this twist in the story? Can you imagine it?

Let’s say you are responsible for releasing the most devastating malware attack in the short but poignant history of cyberspace. Let’s say you are—strictly for argument’s sake—“a 23-year-old man living in Pandacan, a crowded suburb of Manila.”

You read on the Internet about a suspect who matches your description and is believed to be in a location that matches yours.

Surveillance is supposed to be in place. Look out the window. If you cannot detect the undercover officers, maybe the CNN cameras will tip you off.

On May 8, an arrest was made. Filipino authorities took Reomel Ramones, 27, into custody. Irene de Guzman, Ramones’ 23-year-old girlfriend, was also sought. Investigators believed her computer was used to launch the worm.

Of course, by the time the NBI found the judge to sign the papers, fought their way through the CNN cameras, and went inside the suspects’ apartment, both the young woman and her computer were gone.

The Reuters story described Ramones and de Guzman as “bank employees” and “a quiet, unassuming couple.”

On May 9, the Associated Press reported that Ramones’ relatives claimed he was inno- cent. They pointed accusing fingers at de Guzman’s brother, a 23-year-old man named Onel de Guzman, who also lived in the apartment.

The NBI termed Onel de Guzman as “a person subject to investigation.”

On May 10, ZDNet Asia reported that while a student at AMA Computer College (AMACC) in Manila, the young man had submitted a thesis titled “Trojan Horse.” In the paper, he proposed writing a program so that “people, specifically Internet users, can get Windows passwords, such as Internet accounts, to spend more time on the Internet without paying.” The thesis was rejected.

On June 15, the Washington Postreported that the NBI was preparing to go ahead with criminal charges.

“After a month-long investigation, authorities have concluded that the student, Onel de Guzman, who lived in a dilapidated Manila apartment from which the virus was released and whose thesis proposal was similar to portions of the bug, was responsible for sending out the electronic plague in an ill-fated effort to steal Internet-access passwords from people in the Philippines.

But de Guzman will be charged only with fraud and malicious mischief, crimes that have relatively light penalties in the Philippines because the country does not have laws that specifically forbid the dissemination of computer viruses, officials said.”1

On June 29, CNN reported that the NBI had, indeed, used a credit-card fraud law to charge de Guzman.

NBI officials said they had charged de Guzman with violation of the Access Device Act which covers illegal use of passwords for credit cards and other bank transactions.

The Philippine Justice Department will make the decision whether to proceed based on the evidence the NBI has said it has gathered

The NBI said that among the evidence it has compiled are de Guzman’s com- puter school thesis proposal in which he described a Love Bug-type program he wanted to write for the project. Investigators said they had also compiled interviews and other computer evidence pointing to de Guzman.2

Well, “case closed” doesn’t really apply here. After all, a suspect who is allegedly responsible for financial losses in the billions of dollars around the world is being charged under an ill-fitting statute in the Philippines.

There is an ominous warning that echoes through the Melissa and Love Letter out- breaks. It could have been a lot worse, as Peterson observed.

“A professional could have written the Love Letter code so that the first thing it did was run some test commands to see which board set the system used,” Peterson explains, “then it would have flashed the system’s BIOS. You would have ended up with a non-bootable system that would have required a hardware change to make it usable again. There isn’t a single enterprise in this country that couldn’t be taken out in about 30 minutes by a dedicated professional.”

CHAPTER 9 THE $80 MILLION LAP DANCE… 151

1. “‘Love Bug’ Charges to Be Filed” by Rajiv Chandrasekaran, Washington PostJune 15, 2000

CERT

_Advisory