IT experts scramble to stop Melissa

As people returned to work Monday, system administrators scrambled to put safety precautions in place against the Melissa macro virus.
Written by ZDNet Staff, Contributor

IT managers across the country worked through the weekend, but the virus left few organisations untouched, in some cases hobbling businesses and government organisations. The frenetic activity paid off at United Parcel Service, for example, which spent all of Sunday preparing for the worst. "We had eight people here working most of the day Sunday," securing the company's computer systems and checking for vulnerabilities, said Marc Dodge, Internet and intranet systems manager for the package delivery company who reported success blocking the virus.

To combat the virus, companies in some cases reverted to old school techniques. "We left paper notices on everyone's desks to get them before they read their e-mail," said Dennis M. Cooper, a computer tech with software maker ObjectSpace Inc. The 250-person company found its systems infected after Smith questioned why his senior manager was sending him pornographic Web site information, a symptom of the original virus message. "We wanted to make sure that no one got on their e-mail before being notified," said Cooper.

Harry Burkart, vice president and CIO of the Public Broadcasting System in Alexandria Virginia, said his organisation prepared for Melissa as it would for any other virus -- PBS sent out a broadcast message Sunday to the approximately 2,000 users on its LAN, explaining what the virus was and how they should deal with it. As of midday Monday, Burkart had no reports of the virus getting on the LAN.

"A few" of PBS' 40 IT staffers were in the office over the weekend making sure that Norton Anti Virus software would be ready Monday morning. Burkart said he first heard about the virus on Friday. As the "Melissa" virus spread across the Internet this weekend, it caused a growing number of e-mail disruptions, prompting federal law enforcement agencies to issue a special warning. The warning from the FBI and National Infrastructure Protection Centre marked the government's first major attempt to prevent a computer disaster. In a statement issued Sunday, the NIPC, a special unit created to protect the nation's information assets, said it had received "widespread reports" that the virus has propagated into commercial, government and military e-mail gateways and systems.

Security experts characterised Melissa as the fastest-spreading computer virus they've ever encountered. They reported a mounting number of incidents, even as e-mail traffic underwent its traditional weekend slowdown. Officials of the Computer Emergency Response Team (CERT) at Carnegie Mellon University reported that by early Sunday evening more than 100 sites had been hit by the virus. "These organisations have hundreds and thousands of machines that can't get e-mail," said Jeff Carpenter, the team leader for incident response. Carpenter said he expected "a major problem" when the workforce returned to work. And although it hasn't turned out to be the end of the world as we know it, the virus continues to create challenges for IT managers. What's more, there are increasing concerns that it might `morph' into something more insidious as copycats attempt to outdo Melissa's author.

The Melissa virus is essentially a simple Word macro, which is a script for automating tasks within Word documents. It spreads when a user opens up an infected Word 8 or Word 9 document -- in either Office 97 or 2000 -- and executes the macro script. In some cases, however, the virus can even spread automatically among those users who have configured their systems not to notify them when a macro is launched.

The macro prompts Microsoft's Outlook e-mail program to send a document to the first 50 addresses in a user's address book, under the subject line "Important Message From" and then the user's name. "Here is the document that you asked for," the text inside the message reads. "Don't show anyone else ;-)." Even people who don't use Outlook are at risk. As long as Outlook is set up to send mail, the infected documents will be sent. In addition, the default Word template -- normal.dot, which acts as the basis of every new document that the user creates -- is infected with the code. Subsequent Word documents created by the user will also contain the virus.

The virus is thought to have originally spread through a posting on the alt.sex newsgroup that advertised the accompanying Word document as a list of passwords to various pornographic Web sites. A signature file included in the virus dubbed the nasty code as "Melissa" and identified the author by the handle "Kwyjibo."

While the virus spreads extremely quickly, it does little actual damage to user files. Outside of the actions taken to replicate itself, the only other modification made by "Melissa" occur when the current minutes equals the day. For example, at 6:27 p.m. on any 27th of the month, the virus will copy the following Bart Simpson quote into the current document: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

"Because there's so much e-mail passing through a server, it's basically taking down the servers," said Srivats Sampath, a general manager of anti-virus firm MacAfee, a unit of Network Associates Inc.

Meanwhile, IT officials across the country are rushing to warn users of the problem, telling them not to open the document attached to the message and to update their anti-virus software. The FBI and NIPC issued its warning as a preventive measure. "E-mail users have the ability to significantly affect the outcome of this incident," said Michael Vatis, director of NIPC. "I urge (them) to exercise caution when reading their e-mail over the next few days and to bring unusual messages to the attention of their system administrator." At Microsoft, the company suspended all incoming and outgoing Internet mail Friday. "We're a victim, like any other company on the outside," said a Microsoft spokesman. The spokesman said Microsoft's product support division has been in contact all day via e-mail and phone with Microsoft's customers and partners, alerting them about the virus. "We made an IT (information technology) decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."

A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a "malicious macro virus." At least one division of Intel also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's e-mail servers had gone down as a result.

David Perry, who billed himself as a product marketing manager from antivirus company Trend Micro Inc. on a newsgroup posting, said he was called away from his vacation to deal with clients experiencing the virus. Yet another Netizen said her husband was at work until 11 p.m. dealing the virus, which apparently had attacked Motorola Corp.'s offices in Fort Worth, Texas.

For John Merritt, one of the network support staff for the School of Public and Environmental Affairs at Indiana University, the hint that something big was happening came at around 4 p.m. on Friday. Another network administrator came to Merritt with four messages sent in by various users. "Most of the messages started from the Bloomington campus," said Merritt. "They said 'Important Message From' such and such a professor, so it looked like they were coming from a legitimate sources."

While the network began to slow down, it never stopped. Instead, soon after the e-mails were discovered, the university took down its Microsoft Exchange servers -- servers that had only been installed a few weeks before. "The system slowed down a bit, but it really wasn't a problem until we had to take it down," said Merritt. Multiply the reaction of Indiana University by hundreds, if not thousands, on Monday, and "Melissa" could rival the Cornell Internet Worm released in 1988. Still, the fixes recommended by CERT and others are fairly straightforward, and if followed, could stop the virus fairly quickly.

Indiana University installed a filter that returns any e-mail containing the virus's signature subject line to the original sender, one of CERT's recommendations. The centre also advised users to utilise virus scanners and to disable Microsoft Word macros. Yet, the quickest fix, said Indiana University's Merritt, is a healthy dose of common sense. "If your PC asks you if it is alright to run a macro, just say no," he said. "It surprises me that users hit yes, when they know nothing about the document.

David Styka, the chief financial officer for ClickNet Inc., a small software developer in San Jose, California says Melissa came to his attention after a female employee came to him, to complain about the pornographic attachment that had been forwarded to her from a customer. He thought he was dealing with a potential case of sexual harassment.

Within minutes after his MIS manager opened the file as the first step in an investigation, they realised they had a virus on their hands, and it infected computers throughout the company within minutes. He said his MIS manager was working the weekend to put the virus in check. The company shut down its mail server. "My MIS guy is going desktop to desktop to clear it out."

"This is really scary," Styka said. The reason: "I don't think anybody knows all the ramifications. Even though we're going desktop to desktop, we don't know if anyone has saved the file to their hard drive and will attempt to open it at some later date -- and start the infection all over again." What's more, he wonders, "How many customers did we accidentally send this to -- and what are they going to think when they open it up on Monday morning?"

It's a question that's on a lot of peoples' minds.

Take me to the Melissa Virus News Special.

Editorial standards