Virus Melissa Cyber Enemy No.
1
March 26, 1999
More than 100 U.S. corporations
were hit.
Comments inside the macro virus
identify it as "Melissa...by Kwyjibo." Watch for Subject in Email "Important
Message From " and contains the sentence: "Here is that document you asked
for...don't show anyone else ;-)." the attachment is usually called list.doc.
If there is an Atachment = Paperclip Grafic or a File usually at the bottom
of the Email DELETE
it imediatly Melissa is the Word97/Word 2000 macro virus that peeks into
a user's Outlook address book, steals up to 50 addresses and sends copies
of its host documents out without the user's knowledge. The original and
most common document contains a list of Triple-X sites on the World Wide
Web. However, the virus can infect any Word 97/Word 2000 document including
those containing sensitive information, Melissa mutates After the virus
began circulating around the Internet on Friday, IT managers worked furiously
to block its spread, filtering out e-mails with the original subject line.
But now they'll need to go back to the drawing board because the new variants
could bypass protections already put in place. Already, a variant with
a blank subject line has emerged on the Internet, according to Trend Micro
Inc. Another one, using an Excel macro to spread was posted on the news
group alt.bondage and is contained in a message labeled "Urgent info inside.
Disregard macro warnings." While the new variants complicate the prescription
for network health, the most effective fix still remains the simplest:
Don't open a macro in an e-mail attachment. A poster called "Sky Roket"
launched the Melissa virus into the wilds via the newsgroup alt.sex early
Friday morning. antivirus company Network Associates said today. March
29, 1999 Electronic mail traffic was disrupted at businesses throughout
the country Friday as mail systems were overloaded by a computer virus,
dubbed Melissa by its creator, that spreads itself at lightning speed.
The extent of the disruptions is unclear, but companies ranging from Microsoft
Corp. to Intel Corp. said they had been infected. Employees at major banks
and several smaller companies said they had been affected and in some cases
had their mail systems shut down during parts of the day. Although it spreads
rapidly, overloading e-mail networks, the virus is not known to cause serious
harm, such as deleting files or scrambling information on hard disks. By
the end of the day, all major makers of anti-virus software had tools to
squash the virus available on their Web sites. ``We believe that there
are tens of thousands of people being infected already,'' said Sal Viveros,
a marketing manager at security software maker Network Associates Inc.
``It is one of the fastest-spreading viruses that we have seen.'' Viveros
said the company had received more than 100 notices from customers saying
they had been infected. Home e-mail users could be infected and may receive
a flood of unexpected messages that could overload their Internet service
provider's system. The virus is transmitted through Microsoft Word 97 attachments
to e-mail messages. Once a user activates the virus by opening the attachment,
the virus culls up to 50 names from the user's electronic address book
and sends itself automatically to those other users. The virus typically
arrives in an email headed: ``Important Message From .'' The text of the
email reads ``Here is a document you asked for. . . don't show to anyone
else ;-)'' Once a user opens it, the attachment contains a list of pornographic
Web sites. By then, damage is done, and the e-mail will have replicated
itself to up to 50 other users. The virus has one additional side effect:
If a user downloads the virus when the minute reading of the current time
matches the date of the month -- for example, at 8:26 p.m. on March 26
-- the virus inserts the following quote from cartoon character Bart Simpson
in the users document: ``Twenty-two points, plus triple-word-score, plus
fifty points for using all my letters. Game's over. I'm outta here.'' Users
can avoid spreading the virus by simply refusing to open the e-mail attachment.
Melissa virus launch identified
March 29, 1999 After Network Associates heard about Melissa from a customer,
its newsgroup-sniffing software was able to track down the point at which
the virus first emerged, Viveros said. The company knows it was the first
insertion into the world because the original file, "list.doc," had a creation
date just a bit younger than the time it was inserted. Network Associates
looked at the sex-related newsgroups because of the pornographic content
of the "list.doc" file originally used to spread the Melissa virus, Viveros
said. The file was initially posted at 4:15 a.m. Pacific time on Friday,
he said. Sky Roket apparently has posted as far back as 1997 to other sex-related
newsgroups with virus-infected files named things like "complete list of
adult sites" and "complete list of cracked Web sites." The Melissa virus
spreads using a combination of Microsoft Outlook and Microsoft Word. Major
antivirus companies posted updates for their virus-checkers on their Web
sites. However, experts cautioned that the characteristics of the virus
are changing as programmers modify the Melissa programming instructions
for their own viruses. "This is the fastest-spreading virus we've ever
seen," (Name) said. "It's all over the world--Asia, Europe, South Africa,
New Zealand, Holland." Antivirus company Symantec said the speed of the
Melissa propagation caught antivirus makers "off guard." While (Name) took
issue with the statement, saying that Network Associates had its update
available less than three hours after the company first heard of the virus,
its software didn't protect against Melissa until that update was installed.
Several of Network Associates' antivirus clients were infected with Melissa,
including one site that had 60,000 users infected on Friday and other that
had more than half a million infected emails in its system, Viveros said.
"The writer was very clever," (Name) said. "This one is spreading rapidly
because it's coming from a trusted source. Most of the other viruses use
very generic text where it's easy to identify it's not from a trusted source.
They don't spread as quickly." Melissa takes advantage of mailing lists
in Outlook. One of the characteristics of the virus-writing community is
that authors quickly adopt innovations. Indeed, Melissa.a, similar to Melissa
but with a blank subject line, has been circulating. Papa is similar, though
it uses Microsoft Excel instead of Word to propagate, but (Name) said it's
relatively toothless because the author "broke" the replication code so
it doesn't spread as effectively as Melissa. The quick-change nature of
some viruses make them similar in some way to the human immodeficiency
virus (HIV), the virus that causes AIDS. HIV's rapid mutation rate enables
it to evade new detection and treatment technologies. However, (Name) said
he was confident Network Associates' software will be able to catch future
variants of Melissa. Though Melissa won't fully work on Windows computers
without Outlook or on Macintoshes, the virus still can lie dormant on those
machines if a user opens up a Melissa-infected Word file, (Name) said.
In that scenario, Melissa would infect the computer and the template file
Word uses to create new documents. If a new Word document then were sent
to Windows user who did have Outlook and Word, a new round of Melissa mailings
could result. And this time, the file it would piggyback on would be the
new Word file instead of Melissa's original list of porn sites. That could
be bad if the new Word document were a payroll list, for example.
National Infrastructure Protection
Center Computer Virus Alert: Word/Melissa (aka W97/Melissa) Macro Virus
The National Infrastructure Protection Center (NIPC) was notified on March
26, 1999, of the proliferation of a computer virus known as the "Melissa
Macro Virus" (MMV). There have been widespread reports of propagation of
this virus into commercial, government and military e-mail gateways and
systems. The MMV has the capability of causing a denial of service and
degraded computer network performance, which could result in system administrators’
having to shut-down affected networks and e-mail servers. The NIPC has
received reports of significant network degradation and e-mail outages
at major corporations and Internet Service Providers. The NIPC has received
no reports of the virus causing any alteration of or damage to any data
contained in the infected systems. The MMV exploits a vulnerability that
exists in the Microsoft computer software applications Word 97 and Word
2000. The virus is transmitted via an attachment to innocuous e-mail messages
transmitted to unsuspecting computer users via the Internet and related
networks. The virus is activated when a user opens the infected document.
A command is immediately executed that lowers the security settings in
the Microsoft Word 97 or Word 2000 application to permit all macro files
to run and any newly created Word documents to be infected. The virus spreads
by transmitting e-mail messages containing the infected documents to addresses
contained in the infected user's e-mail address book. Corrective measures
have been developed to guard against infection by the "Melissa Macro Virus"
at the network and user level. In addition, leading virus detection utilities
(including Symantec{http://www.symantec.com}, McAfee {http://www.mcafee.com},
and Trend Micro {http://www.antivirus.com}), when updated properly after
March 26, 1999, reportedly detect and clean this type of macro viruses.
NIPC Director (Name) states, "e-mail users have the ability to significantly
change the outcome of this incident. I urge e-mail users to exercise caution
when reading their e-mail for the next few days and to bring unusual messages
to the attention of their system administrator. The transmission of a virus
can be a criminal matter, and the FBI is investigating." The MMV has significant
potential to cause more-widespread harm than it has to date. In an effort
to reduce the impact of the MMV on computer networks, users can take several
actions: As the virus requires the user to open an infected document to
continue the propagation, users should carefully check their e-mail boxes
for any message containing as part of the subject: Important Message From
If such a message is found, please contact your system administrator or
other responsible party for assistance. Users and system administrators
alike should consult reputable information sources for more assistance
on how to detect and minimize the impact of the MMV. Information on detection
and mitigation strategies can be obtained online from CERT® (the Computer
Emergency Response Team at Carnegie Mellon University) at http://www.cert.org.
The NIPC is a multi-agency organization whose mission is both a national
security and law enforcement effort to detect, deter, assess, warn of,
respond to, and investigate computer intrusions and other unlawful acts
that threaten or target our Nation’s critical infrastructures. Located
in the FBI's headquarters building in Washington, D.C., the NIPC brings
together representatives from the FBI, other U.S. government agencies,
state and local governments, and the private sector in a partnership to
protect our Nation's critical infrastructures.
Melissa virus "originator" bewildered
March 30, 1999 update The owner of an America Online account that apparently
was used to inject the Melissa virus into the wild says he had nothing
to do with it, and he is planning to close his account because of the online
giant's "lack of security." "I am a little jarred about the lack of security
that AOL has in place, and am now going to close my AOL account," (Name)
said in an email. "We are aggressively looking into it," said AOL spokeswoman
(Name). "There are a number of variables that need to be further investigated
before we can make a determination about whether it was an unwitting propagation."
Beyond that, she said AOL doesn't comment on individual users' accounts.
The Melissa virus, which was introduced in "alt.sex" newsgroups early Friday
morning, uses a combination of Microsoft's Outlook and Word programs to
spread, taking advantage of users' email address book entries to gain the
appearance of coming from a known person. The virus has the potential not
only to spread to hundreds of users its original virus-infected document,
"list.doc," but also future Word documents carrying Melissa after the initial
infection. "I am not the creator of the virus, nor did I have any part
in the distribution of the virus," (Name) said. Because of Melissa's notoriety,
Steinmetz said his email traffic jumped from 2 messages per week to 20
per hour. Among the messages are hate mail, fan mail, requests from virus
programmers for code, and requests from news organizations. The FBI is
determining whether the virus meets the requirements in the criminal code
for an investigation, FBI spokesman (Name) said today. The virus could
violate laws that forbid "the transmission of a program, information, code,
or command" that "intentionally causes damage, without authorization, to
a protected computer," (Name) said. Antivirus software companies said one
danger for Melissa damage was in overburdened email servers. However, AOL,
which handles an average of 51 million messages per day, didn't see a significant
increase in traffic, AOL's (Name) said.
In addition,
a copycat of Melissa called "Papa" was first posted in the alt.bondage
newsgroup, said Sal Viveros, group marketing manager at Network Associates.
Papa virus, which affects Excel spreadsheets. Reports of a new strain surfaced
yesterday when a similar virus called Papa, which is programmed to send
out even more e-mails than Melissa, was discovered. The virus is attached
to a Word document, so PC users have been advised not to open Word documents,
not to allow Macros and to turn on Macro guards. While systems administrators
are still trying to sort out the effect of the Melissa virus, a leading
vendor of antivirus software has discovered a similar virus that could
be even more dangerous. Network Associates late Monday said the new virus,
nicknamed Papa, is an Excel virus that is transmitted in the same manner
as Melissa. What's worse is instead of sending itself to the first 50 people
in a Microsoft Outlook address book, the virus is sent to the first 60.
Papa also sends an e-mail every time the virus is activated whereas Melissa
only sends a message the first time it is opened. E-mails containing the
Papa virus commonly contain the subject "all.net and Fred Cohen." The e-mail
also contains an Excel attachment with the file name "path.xls." Once the
attachment is opened, Microsoft Word will ask whether or not it should
disable macros. Replying yes stops the e-mail from being sent to those
listed in an Outlook address book. Network Associates said the worst thing
about Papa is the fact it "pings" an undetermined external site to ensure
an Internet connection is active. The virus pings the site so many times
that it takes down the network. It also lowers the security settings on
infected systems. Documents infected with the Papa virus are spread just
as documents infected with Melissa. Network Associates virus experts believe
Papa was not authored by the same person as Melissa, but they do believe
it was patterned after the original virus. The fact that the two do share
common traits is making it easier for antivirus software vendors to craft
a way to detect and clean them. Network Associates is currently working
on a fix for Papa and has already posted a fix for Melissa.. Systems most
at risk are Microsoft Exchange servers running Microsoft Outlook. Systems
administrators across the country were feeling the effects of Melissa Monday
and the FBI confirmed its computer crimes unit was launching an investigation
into the attack.
Melissa and Papa can only affect
computers using Outlook, rather than Outlook Express, and the Word 97/2000
and Excel programs. Melissa virus goes global How Melissa Spreads
There are now two Mutants derived
from Melissa
Mad Cow and Papab
Which so far known to act like
Melissa
The major independent antivirus
vendors now have "cures" for Melissa posted for download.
Melissa has gone World Wide
Melissa was first brought about
in alt.sex by someone useing skyrocket
the chalenge is that someone
utilized skyrocket's user name to bring about
Melissa by prduceing the List.zip
attachment
which was induced by way of
alt.sex into a users PC then to that users program then when the user loged
on to the WWW Melissa was brought about spreading and Mutating into our
Cyber World
Posted March 30th 1999