X
Home & Office

Virus morphs into 'Mad Cow'

Yet another variant of the Melissa virus has surfaced on the Internet, this one with the subject line "Mad cow joke."
Written by ZDNet UK, Contributor

The new mad cow joke virus is unrelated to other so-called Mad Cow viruses that have surfaced in the past, according to anti-virus company Trend Micro Inc. The new virus is similar to Melissa in that it surfaces when users open a Word document attached to an e-mail, triggering e-mail to the top entries in an Outlook user's address book.

Unlike Melissa, which sends out 50 messages, this one sends out only 20. Also, it is a member of a group of viruses known as "class viruses," which store code in a different -- and harder-to-detect -- portion of a Word document.

The virus comes with a subject line "Mad cow joke," a body containing the words "beware of the speed of the Mad cow," and an attached file called madcow.doc. The virus' creator even tipped his or her hat to Melissa. The last lines of code in the Mad cow virus reads: "word/veronicathankstoword/ melissaandword/class."

Trend Micro hasn't heard from anybody who's seen the virus in action, but officials there believe they will shortly. "I think it's going to show up affecting people," said Dan Schrader, Trend Micro's product manager. Schrader believes a host of variant viruses will surface in the wake of Melissa. "We're going to see a lot of them," Schrader said. "It's unfortunate these guys need to copycat." Most anti-virus firms have updated their software to ward off variants. "When viruses become popular, other hackers use them as a roadmap," said, Sal Viveros, group marketing manager for Network Associate Inc.'s anti-virus products.

Because those roadmaps in the variants are similar to the original virus, most anti-virus software can detect and exterminate them.

Most viruses created never reach actual users. Of the 35,000 to 40,000 viruses created by both researchers and malicious hackers, only 200 to 300 ever pass through innocent users' computers, according to Symantec Corp., another anti-virus firm. "The vast majority of viruses are not ever deployed or released," said Carey Nachenberg, chief researcher at Symantec's anti-virus research centre.

Although the source code for many viruses is easy to get, making copying them relatively simple, the ramifications of sending out a virus as destructive as Melissa discourages many hackers from doing so. The FBI has launched a widespread search for Melissa's creator, whom officials said could face as many as 10 years in jail and $350,000 in fines.

Meanwhile, anti-virus researchers also are learning new details of the so-called Papa virus, a Melissa variant that is carried by Excel documents and sends out 60 e-mails when opened. The virus contains the subject line "Fwd: Workbook from all.net and Fred Cohen" and a body reading "Urgent info inside. Disregard macro warning." The Papa virus first surfaced Monday, but after studying it, researchers found a glitch that kept it from working, rendering it "sterile."

But Tuesday, someone apparently had fixed that glitch, and the newer, virulent strain of virus -- "Papa B" -- was reportedly on the loose. Anti-virus software maker Network Associates said it's had reports of Papa B hitting at least one Fortune 100 company and two large firms in Europe. When opened, the virus also pings -- or, repeatedly hits -- two Web sites, one run by anti-virus expert Fred Cohen, the subject of the virus message, and @Home.

Cohen suspects a group of hackers created the virus to target him because he fingered them in another virus, which was called Caligula. "They have made threats over the last several weeks," Cohen said. To protect himself from such attacks, Cohen said he simply says "no" to any attachment that comes his way. Still, he believes that Microsoft Corp. cuts too many security corners in Windows, oversights that could lead to more breaches. The Melissa virus and its variants have been carried through Microsoft documents.

"We are building a house of cards and it is going to be blown down every so often," he said.

ZDNN's Rob Lemos contributed to this story.

Editorial standards