Epidemic virus infects corporate e-mail

A number of Microsoft Corp. Outlook/Exchange customers -- including Microsoft and Intel Corp. -- are being hit hard by a macro virus that is replicating infected pornography-related information throughout corporate email systems.
Written by Lisa M. Bowman, Contributor and  Mary Jo Foley, Senior Contributing Editor

The virus, which was identified by Network Associates Inc. (Nasdaq:NETA) as 'Melissa,' originated in Western Europe and was first discovered on the alt.sex newsgroup. Computer security experts said the virus wreaked havoc with corporate e-mail as it sped across the Internet on Friday.

"The proliferation of this virus is something we've never seen before," said Srivats Sampath, general manager of Network Associates' McAfee unit.

"Because there's so much e-mail passing through a server, it's basically taking down the servers," Sampath said. He added that twenty large companies had been infected by late afternoon, including one that saw 60,000 users affected.

At Microsoft (Nasdaq:MSFT), the company suspended all incoming and outgoing Internet mail Friday.

"We're a victim, like any other company on the outside," of this virus, said a Microsoft spokesman.

The spokesman said Microsoft's product support division has been in contact all day via e-mail and phone with Microsoft's customers and partners, alerting them about the virus.

"We made an IT (information technology) decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."

At least one division of Intel Corp. (Nasdaq:INTC) also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's e-mail servers had gone down as a result.

A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a 'malicious macro virus.'

The Melissa virus propagates via e-mail. Attached to the e-mail is a Word file that, if opened, launches a macro that replicates a message to the first 50 names in the recipient's Outlook address book. The subject line reads: "important message from," followed by a user name. The body consists of a text message that says, "Here is that document you asked for... don't show anyone else;-)." The infected documents reportedly contain information on porn Web sites.

The virus specifically affects Outlook and does not trigger the multiple e-mails on other messaging platforms, such as Lotus Notes. However, people using e-mail software other than Outlook may be able to spread affected files by sending them to Outlook users, experts said.

McAfee added the virus to its virus database Friday. More information on the virus is can be found on McAfee's site.

"It sounds pretty sophisticated," said Peter Deegan of Woody's Office Watch, who'd been notified of the virus but hadn't seen it.

He said the virus sounded unusual because of its effect on mail servers. Usually, such viruses attack individual machines, but this one apparently can overload mail services by sending out repeated messages.

People cannot get the virus by merely opening up a message, only by opening the attached document. "Always be careful of anything that arrives by e-mail," he said.

The virus also appears to turn off Office's macro protection, which could leave users more vulnerable to future viruses. After cleansing their machines of the virus, those affected might need to reactivate the macro protection.

In another twist, the virus causes a specific phrase to pop up when the time of day, matches the date (for example, at 3:26 on March 26). The phrase reads: "Twenty-two points plus triple word score, plus 50 points for using all my letters. Game's over. I'm out of here."

Right now, that feature is benign, but security experts say it could be used to delete files if a malicious hacker creates another version of the virus.

Antivirus software vendor TrendMicro noted on its Web site that the so-called W97M_Melissa virus can attack via both Word 97 and Word 2000 documents. If the virus attacks via Word 2000, says TrendMicro, "it will lower the security setting to the lowest level by modifying the registry and will disable the Word menu commands (MacroSecurity) which allows the user to reinstate security settings."

"This is spreading faster than any virus we've seen before, because we've only seen a few e-mail-activated viruses in the wild before this," noted Dan Schrader, director of product marketing at TrendMicro.

Schrader said the best way for companies to stamp out Melissa is to run virus protection software at the server, not the desktop, level. TrendMicro says it already updated all of its products to detect this virus as of today. The company also is offering a free service on its Web site, allowing administrators and customers to scan their machines for any virus, including Melissa.

Additional reporting by ZDNN's Charles Cooper and Sm@rt Reseller's Deborah Gage.

Editorial standards