Feds issue warning as email virus spreads
A tricky new computer virus spreading across the Internet continues to paralyze corporate email systems across the globe as experts grapple with how to stop it.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Network managers moved quickly over the weekend to control the virus, called W97M Melissa, which takes advantage of users' email address books to replicate extremely quickly.
As reported previously by CNET
News.com, once activated,
W97Melissa, uses a combination of Microsoft Word macros and Microsoft
Outlook on a user's PC to send copies of a list of 80 pornographic Web
sites. It works with either Word 97 or Word 2000, according to antivirus
companies TrendMicro, Symantec, and Network Associates.
The program is somewhat devious in that it sends itself from the email addresses of people who are likely to be familiar contacts, arriving as email with the subject line "Important message from..." followed by the sender's name. The body says "Here is that document you asked for...don't show anyone else ;-)." The email includes an attached Word file "list.doc," which includes the porn sites' addresses.
It could take more than several days to get the virus under control, experts said. TrendMicro is warning that 20 to 30 variants of the virus could show up by tomorrow, making filtering the virus at the email server level even more difficult.
"This has the potential to get worse before it gets better," said Jeff Carpenter, team leader of Carnegie Mellon's Computer Emergency Response Team (CERT). As of last night, more than 100 organizations had called CERT for help, he said. "We've never seen something spread like this before."
Carpenter said companies are taking steps to combat the virus by posting warnings for employees on their front-door entrances, rolling out new versions of antivirus packages to protect PCs, advising employees not to open email attachments from users they do not know, and disabling macros in Microsoft Word.
Over the weekend, CERT issued an advisory detailing how users can combat Melissa.
Carpenter said companies such as law firms and accounting firms are particularly wary about the risk, as confidential information from a word document can leak out via email as a result of the virus.
The virus doesn't appear to cause any damage to infected computers except in rare cases when the minutes of the current time match the date--for example at 4:26 p.m. on March 26. In this instance, the virus will insert the Bart Simpson quotation, "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here," into a user's active document.
Because the virus sends itself to potentially thousands of contacts contained in a user's address distribution list, however, there's a possibility that the virus could overwhelm mail servers. Users won't get the virus by opening up a message, only by opening the attached document.
Even the FBI and the National Infrastructure Protection Center have issued an unprecedented public warning about the virus. Michael Vatis, director of the NIPC, stated in a memo, "Email users have the ability to significantly affect the outcome of this incident. I urge [them] to exercise caution when reading their email over the next few days and to bring unusual messages to the attention of their system administrator."
The virus first was spotted last Friday, according to TrendMicro and others. It is believed to have originated in Western Europe and was first discovered on the alt.sex newsgroup.
"We've been swamped all day with customers calling in with this," said Dan Schrader, director of product marketing at TrendMicro, when contacted last Friday. "It's spreading extremely quickly. Twenty major corporate sites have called us."
Melissa is similar to an "autospam" virus called "Share Fun" that emerged in March 1997, Schrader said, but that virus was buggy and not as effective. There have been viruses that spread through the address books in the past, "but never this effectively," Schrader said.
Network Associates estimated the virus has already hit hundreds of
thousands of computers. Microsoft
shut down outbound mail so it wouldn't impact customers or partners last
Friday. However, after installing filtering software
the company resumed
outbound mail service. Waggener Edstrom, Microsoft's public relations
agency, also got hit by Melissa, which brought the agency's email system
down. Intel was hit internally as well.
Twenty of Network Associate's largest clients were infected; one firm alone said it had reached 60,000 computers. "The propagation rate has been alarming," a company spokesperson said.
Tom Moske, a network administrator at USWeb/CKS, ran into the virus this afternoon when the virus spread itself from people in his company who had opened the attachment.
And he had cause to appreciate the devious nature of the virus, since it spread from employees in his company to the business clients of USWeb/CKS.
"It's the most intrusive I've ever seen," he said. "This is worldwide spam."
TrendMicro said the virus can be detected using its free Web-based "house call" service.
Because the virus spreads itself automatically, it could be termed a "worm." The author apparently appreciated this, remarking in the virus code: "Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!"