Home & Office

'Melissa' virus infections escalate

The "Melissa" virus continued to spread across the Internet this weekend, overwhelming corporate and university mail servers.
Written by Robert Lemos, Contributor

After hobbling computer industry heavyweights such as Microsoft, Intel and Lucent Technologies on Friday, the little known macro virus rampaged through dozens of other companies during the weekend.

"We have gotten reports from 60 or 70 sites so far," said Jeff Carpenter, the team leader for incident response at Carnegie Mellon's CERT Coordination Center. "These organizations have hundreds and thousands of machines that can't get e-mail."

Anti-virus firm MacAfee, a unit of Network Associates Inc., reported that Melissa had hit 20 large companies representing over 60,000 computers. But that's nothing compared to what could happen on Monday, said CERT's Carpenter.

"When the workforce goes back to work, this is going to be a major problem," he said.

Other computer security experts are clearly apprehensive, too. "The proliferation of this virus is something we've never seen before," said Srivats Sampath, general manager of Network Associates' McAfee unit.

"Because there's so much e-mail passing through a server, it's basically taking down the servers," Sampath said.

Melissa the Dominatrix

The Melissa virus is essentially a simple Word macro, which is a script for automating tasks within Word documents.

It spreads when a user opens up an infected Word 8 or Word 9 document -- in either Office 97 or 2000 -- and executes the macro script. In some cases, however, the virus can even spread automatically among those users who have configured their systems not to not notify them when as macro is launched.

The most devious aspect of "Melissa" is how it infects.

The macro prompts Microsoft's Outlook e-mail program to send a document to the first 50 addresses in a user's address book, under the subject line "Important Message From" and then the user's name. "Here is the document that you asked for," the text inside the message reads. "Don't show anyone else ;-)."

Even people who don't use Outlook are at risk. As long as Outlook is set up to send mail, the infected documents will be sent. In addition, the default Word template -- normal.dot, which acts as the basis of every new document that the user creates -- is infected with the virulent code. Subsequent Word documents created by the user will also contain the virus.

The virus is thought to have originally spread through a posting on the alt.sex newsgroup that advertised the accompanying Word document as a list of passwords to various pornographic Web sites. A signature file included in the virus dubbed the nasty code as "Melissa" and identified the author by the handle "Kwyjibo."

Little damage, but spreads fast

While the virus spreads extremely quickly, it does little actual damage to user files. Outside of the actions taken to replicate itself, the only other modification made by "Melissa" occur when the current hour equals the current date. For example, at 2:27 p.m. on March 27 the virus will copy the following Bart Simpson quote into the current document: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

"The most severe damage we see here is stopping an organization's e-mail servers -- essentially a denial of service," said CERT's Carpenter.

Network managers scrambling

Meanwhile, IT officials across the country are rushing to warn users of the problem, telling them not to open the document attached to the message and to update their anti-virus software.

At Microsoft, the company suspended all incoming and outgoing Internet mail Friday. "We're a victim, like any other company on the outside," said a Microsoft spokesman.

The spokesman said Microsoft's product support division has been in contact all day via e-mail and phone with Microsoft's customers and partners, alerting them about the virus. "We made an IT (information technology) decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."

A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a "malicious macro virus."

At least one division of Intel also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's e-mail servers had gone down as a result.

David Perry, who billed himself as a product marketing manager from antivirus company Trend Micro Inc. on a newsgroup posting, said he was called away from his vacation to deal with clients experiencing the virus. Yet another Netizen said her husband was at work until 11 p.m. dealing the virus, which apparently had attacked Motorola Corp.'s offices in Fort Worth, Texas.

Universities hit, too

For John Merritt, one of the network support staff for the School of Public and Environmental Affairs at Indiana University, the hint that something big was happening came at around 4 p.m. on Friday.

Another network administrator came to Merritt with four messages sent in by various users. "Most of the messages started from the Bloomington campus," said Merritt. "They said 'Important Message From' such and such a professor, so it looked like they were coming from a legitimate sources."

While the network began to slow down, it never stopped. Instead, soon after the e-mails were discovered, the university took down its Microsoft Exchange servers -- servers that had only been installed a few weeks before. "The system slowed down a bit, but it really wasn't a problem until we had to take it down," said Merritt.

Multiply the reaction of Indiana University by hundreds, if not thousands, on Monday, and "Melissa" could rival the Cornell Internet Worm released in 1988.

Help stations on the Internet

Still, the fixes recommended by CERT and others are fairly straightforward, and if followed, could stop the virus fairly quickly.

Indiana University installed a filter that returns any e-mail containing the virus's signature subject line to the original sender, one of CERT's recommendations. The center also advised users to utilized virus scanners and to disable Microsoft Word macros.

Yet, the quickest fix, said Indiana University's Merritt, is healthy dose of common sense. "If your PC asks you if it is alright to run a macro, just say no," he said. "It surprises me that users hit yes, when they know nothing about the document.

David Styka, the chief financial officer for ClickNet Inc., a small software developer in San Jose, Calif., says Melissa came to his attention after a female employee came to him, to complain about the pornographic attachment that had been forwarded to her from a customer. He thought he was dealing with a potential case of sexual harrassment.

Within minutes after his MIS manager opened the file as the first step in an investigation, they realized they had a virus on their hands, and it infected computers throughout the company within minutes.

He said his MIS manager was working the weekend to put the virus in check. The company shut down its mail server. "My MIS guy is going desktop to desktop to clear it out."

"This is really scary," Styka said. The reason: "I don't think anybody knows all the ramifications. Even though we're going desktop to desktop, we don't know if anyone has saved the file to their hard drive and will attempt to open it at some later date -- and start the infection all over again."

What's more, he wonders, "How many customers did we accidentally send this to -- and what are they going to think when they open it up on Monday morning?"

It's a question that's on a lot of peoples' minds.

Additional reporting for this story by Lisa Bowman, Patrick Houston, Charles Cooper and Sean Silverthorne of ZDNN, and Mary Jo Foley of Sm@rt Reseller.

Editorial standards