Network management Toolkit

Feds issue warning as virus spreads

ZDNN, US ZDNet US

Published: 29 Mar 1999 08:46 BST

The "Melissa" virus continued to spread across the Internet this weekend, causing a growing number of e-mail disruptions and prompting federal law enforcement agencies to issue a special warning.

The warning from the FBI and National Infrastructure Protection Centre marked the government's first major attempt to prevent a computer disaster. In a statement issued Sunday, the NIPC, a special unit created to protect the nation's information assets, said it had received "widespread reports" that the virus has propagated into commercial, government and military e-mail gateways and systems.

Security experts characterised Melissa as the fastest-spreading computer virus they've ever encountered. They reported a mounting number of incidents, even as even e-mail traffic underwent its traditional weekend slowdown. Officials of the Computer Emergency Response Team (CERT) at Carnegie Mellon University reported that by early Sunday evening more than 100 sites had been hit by the virus. "These organisations have hundreds and thousands of machines that can't get e-mail," said Jeff Carpenter, the team leader for incident response.

But that's nothing compared to what could happen on Monday, said CERT's Carpenter. "When the workforce goes back to work, this is going to be a major problem," he said.

The Melissa virus is essentially a simple Word macro, which is a script for automating tasks within Word documents.

It spreads when a user opens up an infected Word 8 or Word 9 document -- in either Office 97 or 2000 -- and executes the macro script. In some cases, however, the virus can even spread automatically among those users who have configured their systems not to not notify them when as macro is launched.

The macro prompts Microsoft's Outlook e-mail program to send a document to the first 50 addresses in a user's address book, under the subject line "Important Message From" and then the user's name. "Here is the document that you asked for," the text inside the message reads. "Don't show anyone else ;-)."

Even people who don't use Outlook are at risk. As long as Outlook is set up to send mail, the infected documents will be sent. In addition, the default Word template -- normal.dot, which acts as the basis of every new document that the user creates -- is infected with the code. Subsequent Word documents created by the user will also contain the virus.

The virus is thought to have originally spread through a posting on the alt.sex newsgroup that advertised the accompanying Word document as a list of passwords to various pornographic Web sites. A signature file included in the virus dubbed the nasty code as "Melissa" and identified the author by the handle "Kwyjibo."

While the virus spreads extremely quickly, it does little actual damage to user files. Outside of the actions taken to replicate itself, the only other modification made by "Melissa" occur when the current hour equals the current date. For example, at 2:27 p.m. on March 27 the virus will copy the following Bart Simpson quote into the current document: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

"Because there's so much e-mail passing through a server, it's basically taking down the servers," said Srivats Sampath, a general manager of anti-virus firm MacAfee, a unit of Network Associates Inc.

Meanwhile, IT officials across the country are rushing to warn users of the problem, telling them not to open the document attached to the message and to update their anti-virus software.

The FBI and NIPC issued its warning as a preventive measure. "E-mail users have the ability to significantly affect the outcome of this incident," said Michael Vatis, director of NIPC. "I urge (them) to exercise caution when reading their e-mail over the next few days and to bring unusual messages to the attention of their system administrator." At Microsoft, the company suspended all incoming and outgoing Internet mail Friday. "We're a victim, like any other company on the outside," said a Microsoft spokesman.

The spokesman said Microsoft's product support division has been in contact all day via e-mail and phone with Microsoft's customers and partners, alerting them about the virus. "We made an IT (information technology) decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."

A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a "malicious macro virus." At least one division of Intel also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's e-mail servers had gone down as a result. David Perry, who billed himself as a product marketing manager from antivirus company Trend Micro Inc. on a newsgroup posting, said he was called away from his vacation to deal with clients experiencing the virus. Yet another Netizen said her husband was at work until 11 p.m. dealing the virus, which apparently had attacked Motorola Corp.'s offices in Fort Worth, Texas.

For John Merritt, one of the network support staff for the School of Public and Environmental Affairs at Indiana University, the hint that something big was happening came at around 4 p.m. on Friday. Another network administrator came to Merritt with four messages sent in by various users. "Most of the messages started from the Bloomington campus," said Merritt. "They said 'Important Message From' such and such a professor, so it looked like they were coming from a legitimate sources." While the network began to slow down, it never stopped. Instead, soon after the e-mails were discovered, the university took down its Microsoft Exchange servers -- servers that had only been installed a few weeks before. "The system slowed down a bit, but it really wasn't a problem until we had to take it down," said Merritt.

Multiply the reaction of Indiana University by hundreds, if not thousands, on Monday, and "Melissa" could rival the Cornell Internet Worm released in 1988. Still, the fixes recommended by CERT and others are fairly straightforward, and if followed, could stop the virus fairly quickly.

Indiana University installed a filter that returns any e-mail containing the virus's signature subject line to the original sender, one of CERT's recommendations. The centre also advised users to utilised virus scanners and to disable Microsoft Word macros.

Yet, the quickest fix, said Indiana University's Merritt, is healthy dose of common sense. "If your PC asks you if it is all right to run a macro, just say no," he said. "It surprises me that users hit yes, when they know nothing about the document.

David Styka, the chief financial officer for ClickNet Inc., a small software developer in San Jose, California, says Melissa came to his attention after a female employee came to him, to complain about the pornographic attachment that had been forwarded to her from a customer. He thought he was dealing with a potential case of sexual harassment.

Within minutes after his MIS manager opened the file as the first step in an investigation, they realised they had a virus on their hands, and it infected computers throughout the company within minutes. He said his MIS manager was working the weekend to put the virus in check. The company shut down its mail server. "My MIS guy is going desktop to desktop to clear it out."

"This is really scary," Styka said. The reason: "I don't think anybody knows all the ramifications. Even though we're going desktop to desktop, we don't know if anyone has saved the file to their hard drive and will attempt to open it at some later date -- and start the infection all over again." What's more, he wonders, "How many customers did we accidentally send this to -- and what are they going to think when they open it up on Monday morning?"

It's a question that's on a lot of peoples' minds.

Additional reporting for this story by Lisa Bowman, Patrick Houston, Charles Cooper and Sean Silverthorne of ZDNN, and Mary Jo Foley of Sm@rt Reseller