She's back, only different

Society of monoculture spawns Melissa offspring...

Two more Melissa variants popped up this month; the latest eluded the most sophisticated anti-virus software.

IT managers wondering why variants of the Melissa virus are proliferating need only look to the field of agriculture for the answer. Farmers know that too much of the same crop is a recipe for disaster. A blight -- a virus -- can wipe out an entire field in no time. Experts call it a monoculture.

And that's what the computing environment has become: a monoculture of Windows desktops, connected by Visual Basic programming and Microsoft Office suite macro commands that are easily exploited by wilful programmers.

Melissa, which spawned in March, now circulates in about 24 versions. Two more Melissa variants popped up this month; the latest, Melissa.U (Gen1), eluded the most sophisticated anti-virus software. Experts warn many more will come. "Macro viruses such as Melissa are extremely easy to write," said Carey Nachenberg, chief researcher at Symantec's Antivirus Research Centre, in Santa Monica, California. "Anybody with a manual and a free afternoon could probably write one."

Melissa.U (Gen1) infected at least 40,000 nodes at five companies. The original Melissa grabbed the top 50 addresses off a user's Outlook address book after an infected attachment was opened and started a chain reaction that overloaded servers across the country. A variant, Melissa.U, grabbed only four addresses. But its impact was more severe, wiping out important system commands such as I/O.sys. Melissa.U (Gen1) is a further variation on that virus. "This was the first of the Melissas to get past our virus software," said Alan Hamilton, IS manager at a West Coast software company. "I guess our saving grace was, for once, people didn't open it."

Just how Melissa.U (Gen1) was created is still a mystery. Most good anti-virus software can catch variants of Melissa using two common detection methods.

The first is based on the virus' signature, a piece of code that is unique to that virus. Signature recognition is easy for virus authors to avoid, however. Change a piece of the signature, without actually changing the virus functions, and the signature recognition defence becomes moot. That's why anti-virus software vendors constantly send out software updates.

The second method, called heuristics, isn't so easy to avoid. Heuristic software, which is in use by most major anti-virus software vendors, looks for how a virus behaves -- for example, what dynamic link libraries it writes to -- rather than its specific qualities. Heuristic software, for the most part, has caught Melissa variants. A novel twist But Melissa.U (Gen1) didn't behave like the previous forms of Melissa. It used Messaging API commands for opening Outlook address books differently than a typical Melissa variant. Experts are speculating why this happened. It could be because the virus writers who set it loose were a bit more creative than were the original writers, or anti-virus software never fully eradicated the initial Melissa.U strain, according to experts.

And there's no reason that won't happen again. Macro commands, by their nature, are easy to work with. Melissa, which feeds off the macros in Microsoft software, is easy to tinker with. Probably the most disturbing thing about Melissa is its worm exploit -- that is, it has the ability to proliferate more quickly. In addition, it can be easily mutated even by amateur virus writers.

Melissa hit the industry's most popular, yet vulnerable software -- Windows, which was designed with connectivity, not security, in mind -- and it's only a matter of time before someone far more skilled and sinister takes advantage of it again. "What protects us right now," Symantec's Nachenberg said, "are people's ethics."

Take me to the Melissa Virus special.