[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Feds issue warning as email virus spreads



This NEWS.COM (http://www.news.com/) story has been sent to you from  lk@internet.ms.

Message from sender:
   This might be interesting for everybody.
-------------------------------------------------------
Feds issue warning as email virus spreads
By Kim Girard and Stephen Shankland
March 29, 1999, 7:40 a.m. PT
http://www.news.com/News/Item/0%2C4%2C34352%2C00.html?sas.mail

A tricky new computer virus spreading across the Internet  continued to paralyze corporate email systems across the globe this  morning as experts grappled with how to stop it.  

  Network managers moved quickly over the weekend to control the virus,  called W97M Melissa, which takes advantage of users' email address books to  replicate extremely quickly.  

  As reported previously by CNET  News.com, once activated, W97Melissa, uses a combination of Microsoft Word macros and Microsoft  Outlook on a user's PC to send copies of a list of 80 pornographic Web  sites. It works with either Word 97 or Word 2000, according to antivirus  companies TrendMicro, Symantec, and Network Associates.

    The program is somewhat devious in that it sends itself from the email  addresses of people who are likely to be familiar contacts, arriving as  email with the subject line "Important message from..." followed by the  sender's name. The body says "Here is that document you asked for...don't  show anyone else ;-)." The email includes an attached Word file "list.doc,"  which includes the porn sites' addresses.

    

    It could take more than several days to get the virus under control,  experts said. TrendMicro is warning that 20 to 30 variants of the virus  could show up by tomorrow, making filtering the virus at the email server  level even more difficult.

    "This has the potential to get worse before it gets better," said Jeff  Carpenter, team leader of Carnegie Mellon's Computer Emergency Response Team  (CERT). As of last night, more than 100 organizations had called CERT for  help, he said. "We've never seen something spread like this before."

    Carpenter said companies are taking steps to combat the virus by posting  warnings for employees on their front-door entrances, rolling out new  versions of         antivirus packages to protect PCs, advising employees not to  open email attachments from users they do not know, and disabling macros in  Microsoft Word.

    Over the weekend, CERT issued an advisory detailing how users can combat Melissa.

    Carpenter said companies such as law firms and accounting firms are  particularly wary about the risk, as confidential information from a word  document can leak out via email as a result of the virus.  

      The virus doesn't appear to cause any damage to infected computers except  in rare cases when the minutes of the current time match the date--for  example at 4:26 p.m. on March 26. In this instance, the virus will insert  the Bart Simpson quotation, "Twenty-two points, plus triple-word-score,  plus fifty points for using all my letters. Game's over. I'm outta here,"  into a user's active document.

    Because the virus sends itself to potentially thousands of contacts  contained in a user's address distribution list, however, there's a  possibility that the virus could overwhelm mail servers. Users won't get  the virus by opening up a message, only by opening the attached document.  Experts are warning people not to open documents attached to messages from  people they don't know.

    Even the FBI and the National  Infrastructure Protection Center have issued  an unprecedented public warning about the virus. Michael Vatis, director of the NIPC, stated in a memo, "Email users have the ability to significantly  affect the outcome of this incident. I urge [them] to exercise caution when reading their email over  the next few days and to bring unusual messages to the attention of their system  administrator."  

        The virus first was spotted last Friday, according to TrendMicro and  others. It is believed to have originated in Western Europe and was first  discovered on the alt.sex newsgroup.

      "We've been swamped all day with customers calling in with this," said  Dan Schrader, director of product marketing at TrendMicro, when contacted  last Friday. "It's spreading  extremely quickly. Twenty major corporate sites have called us."

    Melissa is similar to an "autospam" virus called "Share Fun" that emerged  in March 1997, Schrader said, but that virus was buggy and not as  effective. There have been viruses that spread through the address books in  the past, "but never this effectively," Schrader said.

    Network Associates estimated the virus has already hit hundreds of  thousands of computers. Microsoft  shut down outbound mail so it wouldn't impact customers or partners last  Friday. However, after installing filtering software         the company resumed  outbound mail service. Waggener Edstrom, Microsoft's public relations  agency, also got hit by Melissa, which brought the agency's email system  down.  Intel was hit internally as well.  

  Twenty of Network Associate's largest clients were infected; one firm alone  said it had reached 60,000 computers. "The propagation rate has been  alarming," a company spokesperson said.  

  Tom Moske, a network administrator at USWeb/CKS, ran into the virus this  afternoon when the virus spread itself from people in his company who had  opened the attachment.

    And he had cause to appreciate the devious nature of the virus, since it  spread from employees in his company to the business clients of  USWeb/CKS.

    "It's the most intrusive I've ever seen," he said. "This is worldwide  spam."

    TrendMicro said the virus can be detected using its free Web-based "house call" service.

    Because the virus spreads itself automatically, it could be termed a  "worm." The author apparently appreciated this, remarking in the virus  code: "Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!"

  


-------------------------------------------------------

----------
Archives located at:
http://www.meteoritecentral.com/list_best.html

For help, FAQ's and sub. info. visit:
http://www.meteoritecentral.com/mailing_list.html
----------