Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Melissa source code

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    147

    Melissa source code

    I attempted to look at the source code for Melissa on a website. I clicked on the link to load the page which was in .txt format, and NAV brought up an alert saying there was a virus on my system.

    My question is, how did NAV show the alert when the code was simply in .txt format and wasnt even on my computer. .txt files cant be used for viruses can they?

    I just noticed that the files NAV alerted me to were the .txt files stored in the history. Even so, a .txt file cant run a virus can it?
    Mama always said, keep your virus definitions up to date.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    214
    Sorry, I can't answer your question djhuk. But I do have another question. this is a little off the topic of this thread, but here goes:

    Somewhere else on antionline I read that the creator of the melissa virus was busted because he created the code with microsoft word, and word secretly appeneded his mac address to the file. Now, I'm wondering exactly how the fbi was able to track him, or know it was him, by knowing his mac address...?

  3. #3
    Senior Member Unl3Ashed's Avatar
    Join Date
    Aug 2002
    Posts
    103

    Re: Melissa source code

    Originally posted here by djhuk
    My question is, how did NAV show the alert when the code was simply in .txt format and wasnt even on my computer. .txt files cant be used for viruses can they?
    Yes a .txt file can be used for viruses when you compile it.

    As far as I know the antivirus scanners searches the files for known virus signature within them and if they find the sign of the virus then the AV will alert it as the virus like CIH virus which if you hex edit the infected file you will see the word "CIH" .

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    http://www.cert.org/tech_tips/Melissa_FAQ.html

    I can't remember, Melissa was a while ago, but are you absolutey certain it was a .txt and not something like .txt.vbs ? Melissa was just a macro code virus, so if you weren't careful, it is possible you could have somehow run it (maybe loading it into word for example?)

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Somewhere else on antionline I read that the creator of the melissa virus was busted because he created the code with microsoft word, and word secretly appeneded his mac address to the file. Now, I'm wondering exactly how the fbi was able to track him, or know it was him, by knowing his mac address...?
    Now I never heard this, but this is very possible. MAC addresses are can tell you the manufacturer and then the specific product number. As for him personally, my guess is his ISP was broadband and spilled the information to the FBI, as is the ISP was broadband, they would have to know his MAC address if he connected to their network. So, the manufacturer might have been based close to where the creator was, or they remembered where they shipped some of their parts. And the ISP was probably broadband so they would have to know his MAC address when he connected to their network. Am I making sense? I think I mixed things up a bit.

  6. #6
    Junior Member
    Join Date
    Sep 2002
    Posts
    25
    I would say that most AV systems will look at the first 32 bits of code on a document to see if it matches a known virus signature and if not then they will apply some form of heuristics.

    Important fact to think about when accessing these sites is that some form of Java code may be executing and facilitating the transfer of the actual virus to your machine (in this case a worm)

    As for MAC addresses and Forensics the FBI utilizes, it would not be hard to locate a source of infection or originator of a virus with todays forensic utilities. remember that a MAC address information is available on the WEB and usually is specific to NIC and IP etc...a router or so forth will retain this as well as the TCP packets header... One could easily tear apart a few packets and get what they need.

    Anyway....that is my two cents...
    A slice of \"Controlled Paranoia\" is worth it\'s weight in prevention......Of course Stupidity and Faith is just fun!!!

  7. #7
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    yanksfan.....yep, thats the story on how the Melissa author got caught...supposedly the MAC address gets imbedded within Macros created with MSWord.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  8. #8
    NAV and other popular virus scanners (MCaFee, The Cleaner, etc.) All work by scanning the contents of a file for specific code snippets.... So, Say if an exe file contains
    Code:
    	ghDll_Mpr=LoadLibrary("MPR.DLL");
    	if(ghDll_Mpr==NULL) return -1;
    	
    	if(!g_bIsWinNT) {
    		pWNetEnumCachedPasswords = (ENUMPASSWORD)GetProcAddress(ghDll_Mpr, "WNetEnumCachedPasswords");
    Norton would detect it as Bo2K.... Technically a .txt file cannot give you a virus since it is unformatted text, A .doc, .rtf and other formats could because they use Macros among other things.... Hope this helps you

  9. #9
    As for MAC addresses and Forensics the FBI utilizes, it would not be hard to locate a source of infection or originator of a virus with todays forensic utilities. remember that a MAC address information is available on the WEB and usually is specific to NIC and IP etc...a router or so forth will retain this as well as the TCP packets header... One could easily tear apart a few packets and get what they need.
    I believe a MAC header gets stripped out as soon as it leaves the first router. In truth, it wouldn't be very easy to track somebody by their MAC address, it would be fairly difficult, you would have to ask the manufacturer where that card went, and the ISP which customer uses it, and they wouldn't be too eager to give away either of these details. But I'm sure the FBI has enough clout and resources to get any and all info they need from an ISP or computer part manufacturer. And, you could find out who the manufacturer is of a specific card, but pretty much nothing more than that, finding somebody by MAC address wouldn't be so easy.

  10. #10
    believe a MAC header gets stripped out as soon as it leaves the first router
    Correct me if I'm wrong, and I'm sure you will, but your MAC address isn't stripped, it's added with the IP address to the packet in order to find the destination. Also, I don't think that investigators would have to contact the manufacturer, just the ISP since they're the ones with the logs..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •