A Year Ago: Epidemic virus infects corporate email

Originally published Sat, 27 Mar 1999 10:18:02 GMT
Written by Lisa M. Bowman, Contributor and  Mary Jo Foley, Senior Contributing Editor

A number of Microsoft Outlook/Exchange customers -- including the software giant itself and Intel -- are being hit hard by a macro virus that is replicating infected pornography-related information throughout corporate email systems

The virus, which was identified by Network Associates as "Melissa", originated in western Europe and was first discovered on the alt.sex newsgroup. Computer security experts said the virus wreaked havoc with corporate email as it sped across the Internet on Friday.

"The proliferation of this virus is something we've never seen before," said Srivats Sampath, general manager of Network Associates' McAfee unit.

"Because there's so much email passing through a server, it's basically taking down the servers," Sampath said. He added that 20 large companies had been infected by late afternoon, including one that saw 60,000 users affected.

At Microsoft, the company suspended all incoming and outgoing Internet mail Friday. "We're a victim, like any other company on the outside," said a Microsoft spokesman.

The spokesman said Microsoft's product support division has been in contact all day via email and phone with customers and partners to alert them about the virus. "We made an IT decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."

At least one division of Intel also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's email servers had gone down as a result.

A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a "malicious macro virus".

The Melissa virus propagates via email. Attached to the email is a Word file that, if opened, launches a macro that replicates a message to the first 50 names in the recipient's Outlook address book. The subject line reads "Important message from", followed by a user name. The body consists of a text message that says, "Here is that document you asked for... don't show anyone else;-)." The infected documents reportedly contain information on porn Web sites.

The virus specifically affects Outlook and does not trigger the multiple emails on other messaging platforms, such as Lotus Notes. However, people using email software other than Outlook may be able to spread affected files by sending them to Outlook users, experts said.

McAfee added the virus to its database Friday. More information on the virus is can be found on McAfee's site.

"It sounds pretty sophisticated," said Peter Deegan of Woody's Office Watch, who'd been notified of the virus, but hadn't seen it. He said the virus sounded unusual because of its effect on mail servers. Usually, such viruses attack individual machines, but this one apparently can overload mail services by sending out repeated messages.

People cannot get the virus by merely opening up a message, only by opening the attached document. "Always be careful of anything that arrives by email," he said.

The virus also appears to turn off Office's macro protection, which could leave users more vulnerable to future viruses. After cleansing their machines of the virus, those affected might need to reactivate the macro protection.

In another twist, the virus causes a specific phrase to pop up when the time of day, matches the date (for example, at 3:26 on March 26). The phrase reads: "Twenty-two points plus triple word score, plus 50 points for using all my letters. Game's over. I'm out of here."

Right now, that feature is benign, but security experts say it could be used to delete files if a malicious hacker creates another version of it.

Antivirus software vendor TrendMicro noted on its Web site that the so-called W97M_Melissa virus can attack via both Word 97 and Word 2000 documents. If the virus attacks via Word 2000, says TrendMicro, "it will lower the security setting to the lowest level by modifying the registry and will disable the Word menu commands (MacroSecurity), which allows the user to reinstate security settings."

"This is spreading faster than any virus we've seen before, because we've only seen a few email-activated viruses in the wild before this," noted Dan Schrader, director of product marketing at TrendMicro.

Schrader said the best way for companies to stamp out Melissa is to run virus protection software at the server, not the desktop, level. TrendMicro says it already updated all of its products to detect this virus as of today. The company also is offering a free service on its Web site, allowing administrators and customers to scan their machines for any virus, including Melissa.

Additional reporting by ZDNet US's Charles Cooper and Sm@rt Reseller's Deborah Gage.

Take me to the Melissa Virus special.

What do you think? Tell the Mailroom and read what others have to say.

Editorial standards