How the email worm works

The new virus emerged this week, spreading from user to user by taking advantage of automation features available to users of Microsoft email software on Windows machines.

Like Melissa, it requires some active participation of the victim: opening the malicious file, or "payload," attached to the email message. And again like Melissa, the malicious program then modifies the victim's computer system to send more copies of itself automatically by email. (See CNET Topic Center on antivirus software.)

To encourage a person to open the attachment, both malicious programs use the similar ploy: Trick the victim into thinking he or she has just received a useful document from a trusted source. Both programs can get away with this, because the infected email comes from a person likely to be known by the recipient.

But there the differences end. Where Melissa was relatively benign to users, Worm.ExploreZip deletes Microsoft Word, Excel, and Powerpoint document files, said Wes Wasson, head of security products marketing at Network Associates.

Where Melissa tapped into address books set up in Microsoft Outlook, Worm.ExploreZip's modus operandi is just to bounce back incoming email automatically with a response including the malicious program, Wasson said.

That means Worm.ExploreZip will spread more slowly, he said. "How fast it spreads correlates to how many emails you get," he said.

Melissa, on the other hand, sent itself to 50 entries in the address book, and those entries themselves could each be mailing lists.

Regardless of their propagation rate, both viruses depend on automated email features. Worm.ExploreZip basically uses a modified version of the same feature that allows a person on vacation to set up email software to automatically reply with an "try back later" message, Wasson said.

The advent of email as a distribution mechanism has allowed a new class of viruses, Wasson said. In the old days, viruses had to be smaller, but Worm.ExploreZip is comparatively huge at more than 200 kilobytes, he said.

"Now with email, I don't have to be slim like I was before," Wasson said. "Viruses and worms can be written in [the programming language] C. This is really cutting-edge science."

The increasing power of email viruses means that sophisticated hackers who once looked down on viruses now see them as powerful tools to obtain information stored on target computers, particularly because using email makes it easier to obscure the origin of the attack, he said.

"The hacker believes the virus is going to be more of a stealth approach," he said.

Selling security
Antivirus software sellers profit from virus scares. Sales of antivirus software jumped 67 percent in the week the Melissa virus hit, according to market research firm PC Data.

Network Associates' Wasson acknowledges the sales boost, but insists his company is out there to help people, pointing as evidence to the company's free, virus clinic detection services available over the Internet.

"Rather than hold [people] hostage and take advantage of an incident, we'll give it to them for free," he said.

Network Associates' competitor TrendMicro offers a similar service.

As more companies begin to become more wary of the risks posed by the Internet, Network Associates is offering more security consulting services. For example, the company hires itself out to find vulnerabilities in computer systems, Wasson said.

"Customers come to us all the time, saying check my security out, bang on my firewall," he said, referring to the protective software designed to keep computer networks safe from unauthorized access.

In addition, the company is offering new software next month called CyberCop Sting that not only sets off alarms when there's a burglar, but also lets companies set up decoy systems to lure intruders and record information about them, Wasson said. The strategy is similar to the technique described by author Clifford Stoll in his book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage.