Post

Melissa

Posted Updated
Preview Image
By 2$0b.|3r0th3rcc 2 min read

Hello again comrades, after lunch, let’s jump in and continue with the Melissa challenge.

Melissa aka W97M.Melissa.A (Symantec) or Virus:W32/Melissa (F-Secure) is a macro virus dates back to March 26, 1999. As far as I know, it targets systems based on Microsoft Word and Outlook

This time it is transmitted via email with the subject line "Important message from" followed by the name of the current user, you will understand immediately lol, inside it says " Here's that document you asked for. Don't show anyone else ;) ", followed by list.doc, contains porn websites and login information for each site ( wow ;))) ). and then it sends them to the FIRST 50 CONTACTS, it also disables many protection features on Microsoft Word and Outlook

Enough !!!, come on

shjt, don’t forget the warning

image

Submit the stream number that contains the Melissa macro in the LIST.DOC file (1 points)

First, please go here to download oledump

Then throw in this Melissa

1
2

python ./oledump.py LIST.DOC

I see the answer

image

7

After identifying which version of word, Melissa will enable all macros from registry (1 points)

Now let’s continue to investigate it further

1
2

python ./oledump.py -s 7 -v LIST.DOC

So it checked that Word 9.0 was running and…

image

9.0

What is the email service targeted by Melissa (1 points)

You’ve seen it, not in the photo above

Outlook

How many number of email addresses were collected (1 points)

It will repeat until 50 is reached

image

50

What is the string used by melissa to identify whether a PC is infected or not and decide whether to collect email addresses or not (2 points)

It’s easy, isn’t it ? .–.

image

… by Kwyjibo

What is the variable responsible for identifying the email username of the infected PC (2 points)

image

Application.UserName

What is the text in email body used for spreading melissa (1 points)

In the photo above .-.

Here is that document you asked for … don’t show anyone else ;-)

What is the text that is inserted by Melissa in an open word document? (1 points)

image

Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.

Well, this challenge is over, see you tomorrow

goodbye, thank you for reading until now //~//

BTLO, Reverse Engineering
macro virus oledump text editor Blue Team btlo Reverse Melissa
This post is licensed under CC BY 4.0 by the author.