March 29, 1999 1:40 PM PST

Melissa virus spreads in Internet time

Related Stories

New Microsoft Word virus found

February 5, 1999

Debate rages over NT virus

December 23, 1998
The Melissa virus that appeared Friday caught antivirus companies flat-footed and spread in "Internet time," according to antivirus software company Symantec.

Antivirus companies such as Symantec, Network Associates, and TrendMicro immediately began work on fixes for the virus when they found out about it Friday and had antivirus updates posted within a few hours. But that wasn't enough to prevent the rapid spread of Melissa, which quickly arrived at Microsoft, Intel, and other major sites.

"It did catch the antivirus companies off guard," said Carey Nachenberg, chief researcher at Symantec's antivirus research center. He said the spread of Melissa, which actively propagates itself from computer to computer, is the fastest-spreading infectious program yet known. "This is on the top of the list," he said.

Melissa, whose source code is relatively easy to see and modify, is mutating rapidly. A relative called "Papa" has appeared, infecting Microsoft Excel files; and, perhaps even more dangerous, a variant of Melissa called Melissa.a, which is transferred via email with a blank subject line, also is showing up, TrendMicro said today.

Melissa uses a combination of Microsoft's Word and Outlook to spread from computer to computer. It can be recognized in email with the subject line "Important message from..." followed by the sender's name, and by an attached Microsoft Word file called "list.doc."

However, experts warned that these identifying characteristics could be changed relatively easily.

Microsoft shut down its outgoing Internet email service to prevent the spread of the virus from Microsoft, said spokesman Adam Sohn. "It was a better idea not to infect outside customers until we got a handle on this thing," Sohn said.

Microsoft wasn't hit hard because its employees, mostly programmers, tend to be aware of viruses How Melissa works and because the company's computer system managers quickly spread the word about the virus, Sohn said.

Though Microsoft was hit, "Our email guys did not see in any spike in traffic," and the mail servers didn't have a problem, he said.

Intel also was hit with the virus, spokesman Robert Manetta said, though he declined to say how widespread the problem was there.

Melissa can't get Macintosh computers to send out new copies of the virus, but the virus is able to infect template files on Macs, antivirus software maker TrendMicro said. That could lead to future outbreaks if a Mac user sent an infected Word document to a Windows user.

Melissa doesn't damage computers or files except under some the condition that the minute of the hour is equal to the day of the month, in which case the virus inserts into a Word document the following Bart Simpson quotation: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

However, many experts, including Nachenberg, fear more damage could come from overloaded email servers.

The attached file "list.doc" includes a list of pornographic Web sites as well as the infected macro.

Taking advantage of the virus publicity Melissa has generated, Symantec and IBM touted a new product they expect to have working in June or July. This "digital immune system for cyberspace" will automatically send suspicious code to an isolated testing lab where computers will watch how viruses propagate, create a fix, and send out an update that will allow antivirus software to be brought up to speed, Nachenberg said.

The new system will expand on current "heuristic" analysis to detect viruses by their behavior instead of by specific signatures, Nachenberg said.

The goal of the software is to quash new viruses in minutes or seconds, he said--fast enough to deal with something like Melissa.

Because the Melissa spreads itself automatically from computer to computer, it is better termed a "worm" than a virus, Nachenberg said. Melissa's author apparently appreciated this, remarking in the virus code: "Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!"

Some suspected the virus was a clever marketing scheme by pornographic Web site owners, but that theory appears to be discouraged by the fact that the Web sites listed are operated by different organizations for the most part.

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.