Melissa mutates: Virus variants detected

The Melissa virus is already mutating into more destructive variants, confirming the worst fears of computer security experts.

One incarnation of the virus spreading around the Internet does not contain the "Important Message From" subject line that has identified Melissa. Yet another version employs an Excel macro which would similarly bypass barriers put in place over the weekend by network administrators. The latest developments are heightening concern among computer security officials, who fear that the macro virus could develop multiple personalities as hackers further tweak the code. "It looks like these guys -- the virus writers -- are trying to one-up each other," said Dan Schrader, director of product marketing at Trend Micro, an anti-virus software firm.

After the virus began circulating around the Internet on Friday, IT managers worked furiously to block its spread, filtering out e-mails with the original subject line. But now they'll need to go back to the drawing board because the new variants could bypass protections already put in place. What's more, computer security experts warn that the Melissa clones could easily be created to carry more lethal payloads.

Above all, they say that it wouldn't be hard to create a variant of Melissa that uses MAPI, an e-mail standard, to create a virus that spreads by co-opting functions in all e-mail programs. The original Melissa just targets Microsoft's Outlook mail software. The virus is largely a simple Word macro -- a script for automating tasks within Word documents. Melissa generally spreads when a user opens up an infected Word 8 or World 9 document -- in either Office 97 or 2000 -- and gives permission to execute the included macro script. The most devious -- if not original -- aspect of "Melissa" is how it infects. If the user has Microsoft's Outlook mail client, the macro sends the document to the top 50 addresses in user's address book, appending the subject line "Important Message From" and then the username of the apparent sender. The body of the message has the text, "Here is the document that you asked for -- don't show anyone else ;-)" and the current file is attached. Since the first 50 addresses in Outlook databases tend to be e-mail groups, the virus can spread to hundreds of users at a time.

There's a risk even if the user does not normally use Outlook. Security experts say that as long as Outlook is set up to send mail on the user's system, the infected documents will get sent. In addition, the default Word template -- which acts as the basis of every new document that the user creates -- will get infected with the virulent macro code. Subsequent Word documents created by the user will also contain the virus. The virus does little damage to users' personal systems. But because it propagates so widely, Melissa can overwhelm e-mail servers.

New variants are changing all the rules. New macro viruses could have different subject lines, use non-Word macro scripts, spread through all e-mail clients, and be far more destructive. Already, a variant with a blank subject line has emerged on the Internet, according to Trend Micro Inc. Another one, using an Excel macro to spread was posted on the news group alt.bondage and is contained in a message labeled "Urgent info inside. Disregard macro warnings."

An early look at Excel variant indicates it used an e-mail standard known as MAPI to manipulate several different messaging software programs, not just Outlook, as Melissa does. Also, opening the spreadsheet triggers 60 e-mails to a user's address book, ten more than the Melissa virus. While the new variants complicate the prescription for network health, the most effective fix still remains the simplest: Don't open a macro in an e-mail attachment, said John Merritt, one of the network support engineers at Indiana University's School of Public and Environmental Affairs. Merritt and others found and blocked the original Melissa virus on Friday. "If your PC asks you if it is alright to run a macro, just say no," he said. "It surprises me that users hit 'yes,' when they know nothing about the document."