Virus on "Important Message From.." attachment

[Susan Ervin-Tripp]

Virus:
Trash "List.doc" attached to "Subject: Important message from..."

By MATT RICHTEL NY Times March 28, 1999

SAN FRANCISCO -- A rapidly spreading computer virus forced
several large corporations to shut down their e-mail servers on
Friday night as it rode the Internet on a global rampage,
several leading network security companies reported Saturday.

The security companies said early reports of the virus, which is
carried by e-mail, led them to believe that tens of thousands of
home and business computers had been infected on Friday alone.
The virus reproduces itself exponentially, they said, trying to
use each infected message to send 50 more infected messages.

"This is the fastest-spreading virus we've seen," said Srivats
Sampath, general manager for the McAfee Software division of
Network Associates, a Santa Clara company that makes anti-virus
software.

Network security experts said that the virus appeared to do no
harm to the machines it infected and that individuals could
easily disable it. But they said its purpose is to interrupt
networks by replicating itself so rapidly that it overwhelms
networks and e-mail servers, the electronic post offices that
direct message traffic.

E-mail infected with the virus, which its creators call Melissa,
has a topic line that begins, "Important Message From." Next is
the sender's name, which is often the name of a friend, fellow
worker or someone else known to the recipient.

The message within the e-mail is short and innocuous: "Here is
that document you asked for ... don't show anyone else ;-)"
Attached to it is a 40,000-byte, or 40K, Microsoft Word document
named list.doc.

When the recipient opens list.doc, the Melissa virus
automatically searches for an e-mail address book. It then sends
a copy of itself -- the message and attachment -- from the
recipient to the first 50 names it finds in the recipient's
address book, which accounts for the rapid acceleration across
the Internet.

The virus is known to spread rapidly with two popular e-mail
programs, Microsoft Outlook and a slimmed-down version of the
same program, Microsoft Outlook Express, which is part of the
Windows 98 operating system and is often installed with Windows
95.

Network security administrators said they had seen no evidence
that Melissa was able to open and use the address books in other
e-mail programs, but they did not rule out the possibility that
it could and would do so.

Several anti-virus software makers posted software on their Web
sites that their customers can download to detect the
virus-encoded message and refuse it.

A fix for the general public was available on www.sendmail.com,
the Web site of Sendmail, the Emeryville company whose
post-office software is often used to direct mail on the
Internet.

Eric Allman, a co-founder of Sendmail, said he was concerned
that the problem would worsen on Monday morning when employees
find these messages in their e-mail in-boxes. "This will get
into a lot of mail boxes and lay dormant," he said. "When
employees come in at 8 a.m. and read these messages, it will
cause an explosive growth of the virus."

Allman characterized the virus' virulence as "not the worst I'd
seen, but it's pretty bad." He added, however, that it appeared
to be the fastest-replicating virus he had seen.

Individuals can avoid contracting or spreading the virus simply
by not opening the attachment that accompanies the e-mail.
Opening the message alone will not cause the virus to copy the
address list and send itself out.

Alternatively, users can disarm the virus by disabling the type
of program that contains it -- "macros," which are small
applications used to automate tasks in Microsoft Word documents.
Disabling macros in Microsoft Word will render the virus
ineffective.

Officials from Microsoft said they were not certain of the
magnitude of the virus and emphasized that it could be easily
disarmed. Adam Sohn, a company spokesman, said, "If folks are
careful about what runs on their machine, they'll always be
fine."

The virus overwhelmed employees on Friday at GCI Group, a public
relations firm with offices throughout the United States.

One contract employee, who exchanges mail with a number of
company employees, said she received more than 500 messages
during the day.

"It hosed my entire day," said the employee, Leigh Anne Varney.
"You can't print the words I used. I've never had this happen
before."

This hardly is the first virus to attack and spread
automatically via e-mail, but it is the first to move from being
a controlled, essentially experimental form "into the wild,"
said Dan Schrader, director of product marketing for Trend
Micro, an anti-virus software maker in Cupertino.

The rapid spread of the program was reminiscent of a 1988
program, known as a worm, written by Robert Tappan Morris, then
a graduate student in computer science at Cornell University.
Morris' program spread through the Internet with remarkable
speed, ultimately disabling more than 6,000 computers.

However, the Internet was tiny in 1988 compared with the size of
today's network. As a result the potential for the spread of the
program is truly vast.

"We haven't seen anything impact this many people on the
Internet in a long time," said Schrader. He said that three of
his company's customers had temporarily shut down their e-mail
servers to delete the infected mail.

Whoever wrote the virus also left the message "W97M -- Melissa."
The note said the virus was created by "Kwyjibo," which Trend
Micro officials speculated is a reference to the television show
"The Simpsons." In an episode of the Simpsons titled "Bart the
Genius," Bart Simpson wins a Scrabble game by using the "word"
Kwyjibo.

The theory dovetails with a second impact of the virus: Once the
virus has infected a computer, it will type a message on the
screen when the time of day corresponds to the date (on March 26
it would be 3:26). The message reads: "Twenty-two points, plus
triple-word-score, plus 50 points for using all my letters.
Game's over. I'm outta here."