Melissa's mischief hits all sides
Although antivirus software can neutralize the virus, the original virus and a flurry of copycats are shaking up not only the antivirus community but also the virus writers themselves.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
The virus, spurred by a self-propagation mechanism, spread rapidly after it was introduced on the "alt.sex" newsgroup on Friday. The effect of the virus, however, has run the gamut from being completely benign to forcing companies to shut down servers.
"It's all over the board," said Gordon Twilegar of Computer Associates. Other software vendors had similar assessments.
But the virus made for a long weekend for antivirus companies, and some, such as TrendMicro, have been forced to speed up their virus update schedule from weekly to daily to keep up with the virus and the large number of variations.
At the same time, virus writers themselves have been taken by surprise, stung by the discovery of a way to "fingerprint" virus authors. Some virus sites, such as SourceOfKaos, have been taken offline.
Richard Smith, president of Phar Lap Software, was a key player in the discovery that got virus authors running. He helped the effort to track down the virus author by finding a part of the original Word file that uniquely identifies the network card in the author's computer. But the virus authors already caught on to that technique, Smith said, replacing those identifiers with a meaningless string of sixes to obscure their tracks.
Smith turned over his information to the FBI, which is determining whether to investigate the Melissa virus.
One company under the aegis of Network Associates had 60,000 infected computers, while America Online said it didn't notice a significant increase in email traffic. Microsoft was somewhere in-between: the company said
its servers had no trouble handling the email load, but it switched off outgoing email because it didn't want to spread the virus further.
But while antivirus companies scramble for attention in the midst of the Melissa publicity, the news hasn't been rosy for them. Though the companies responded within hours, desktop software simply didn't recognize Melissa, either by its fingerprints or its behavior. The virus slipped under the radar of Fortune 500 companies that hire antivirus firms for protection.
Sometimes companies were protected by software that operates at a higher level than the more familiar desktop antivirus programs, according to Computer Associates' Twilegar. CA makes such software, which checks email as it crosses companies' email servers and Internet gateway computers.
However, Twilegar acknowledged, other companies were protected simply because their desktop computers didn't use the software Melissa happened to need to spread--Microsoft's Word and Outlook.
In the long term, what Twilegar fears is not so much Melissa itself, but the number of variations it has spawned. "It is the copycat scenario that really concerns us," he said.
Among the variations that have appeared so far are as follows: W97M/Melissa.A, W97M/Melissa.B, W97M/Syndicate.A, W97M/Ping.A, X97M/Papa.A, X97M/Papa.B, W97M/Zerg.A, and W97M/MADCOW, according to antivirus researchers.
The original Melissa virus propagated widely since its introduction, spreading copies of itself from computer to computer by piggybacking on a Microsoft Word file automatically sent by Outlook.
The Papa variants used Excel. Although initially was toothless because of a malfunctioning propagation mechanism, Smith said Papa appears to have been fixed yesterday.
Syndicate.A sends email to a mailbox reporting who has been infected as it spreads, Twilegar said.
MADCOW, on the other hand, combines Melissa methods with a strategy that proved successful with the Class series of Word macro viruses, said TrendMicro's Dan Schrader. This variation hides the macro code in an unusual location of the infected Word file.
Tracking down the author
Smith has been active in tracking down the issue of how Microsoft products use a unique identifier that ships with network cards. This identifier, a string of 12 hexadecimal characters, identifies both the card manufacturer and the individual card.
The so-called globally unique identifier (GUID) is recorded in Microsoft Word and Excel files, Smith said. And when he downloaded the Word file originally used to launch the Melissa virus into the wild, he extracted the number. Microsoft since has issued a patch that will stop the software from recording the identifier and a utility that allows people to strip the information from their files.
Smith then asked for help finding if other virus files had a similar identifier. A Swede, Frederik Bjorck, answered, pointing the way to a virus Web site that had three files containing the same identifier, Smith said. Those viruses were written by an author with the code name VicodenES, he said. In addition, two other files written by an author with the code name Alt-F11 used the same computer, Smith said.
"One of these two guys here is a likely candidate for writing the virus," Smith said.
In addition, Smith found two people's names in revision logs that get inserted in Word files by the program's revision-tracking function. Smith passed along the two names, which were recorded along with many code names, to the FBI. Virus writing is often a collaborative process, he noted.
Since the Melissa outbreak and the resulting publicity, virus authors have gone another layer underground. VicodenES's viruses first were pulled from the virus Web site, Smith said, and eventually the whole site vanished.
In addition, Spanksa, the author of the Happy99 virus, posted a note that he was lowering his profile for a time, Smith said.
"They don't know what tracks they've left," Smith said.