Melissa threat triggers manhunt

The 'Melissa' macro virus that forwards files to other e-mail addresses may be passing more than a Word file with porn sites listed inside. Virus experts say it could be surreptitiously e-mailing confidential information, too.
Written by ZDNet Staff, Contributor

"We have had several calls from industry lawyers and government representatives that are worried that this could happen," said Jeff Carpenter, team leader for the Computer Emergency Reponse Team (CERT) at Carnegie Mellon University.

How could 'Melissa' purloin classified documents? The virus infects the default Word template -- called normal.dot. Every new document created on an infected PC carries the virus. So imagine creating a confidential document -- say, SECRETPLANS.DOC. If it's created on an infected system, the file would, upon sending it to a trusted colleague, find itself being passed on to the top 50 entries in your colleague's address book, as per the scripted instructions of the Melissa Word macro. "The possibility of passing along confidential information is a scary new twist," Carpenter said.

This new wrinkle may have served as the impetus by federal law enforcement officials to send out on Sunday their first-ever warning about a computer virus. The Federal Bureau of Investigation has joined with the infant National Infrastructure Protection Centre to issue a warning in an attempt to stem the expected tidal wave of email that Melissa is expected to generate.

At the same time, law enforcement officials attempting to apprehend the author of the Melissa virus may be able to track their prey by examining a little known piece of electronic code. The FBI, which confirmed it is conducting an investigation, declined further comment. But in searching for a veritable needle in a cyber haystack, investigators could be aided by an electronic fingerprint called the Global Unique Identifier, or GUID. This technology dates from the days when Microsoft created a linking technology to bring together a variety of data files into a single document, according to Richard M. Smith, president of software tools developer Phar Lap Software Inc.

The identifier was a safety precaution to find documents whose links had been broken. Yet, the GUID also includes a variety of PC -- specific information, such as the Ethernet adapter address, which can uniquely identify the particular PC on which the document was created. "There is a slim chance that this could be used to catch the writer (of the Melissa virus)," said Smith. "However, it could be used as additional evidence at a trial."

The little known software identifier gained notoriety in the wake of an increased sensitivity to such technology after Intel announced plans in late January to include an electronically accessible processor ID in every Pentium III chip. In Microsoft's case, the GUID was not intended to track people at all, said Smith -- it's ability to do so was just a side effect.

Smith said he was able to uncover the unique Ethernet adapter address and manufacturer's ID from the GUID left in the document and two other indentifiers left in the macro itself. By itself, Melissa is largely harmless. But on PCs using Microsoft Outlook, a single Melissa virus sends copies of itself to the first 50 users in an address book. Because Outlook tends to put e-mail groups at the top of the list, in effect the virus is being forwarded hundreds of times by a single user.

Left unchecked, Melissa could overwhelm corporate, government, and military e-mail gateways, according to computer security experts.

Editorial standards