[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Papa virus



PureBytes Links

Trading Reference Links

Copycat virus follows quickly on Melissa's heels 

       by Michael Lattig and Dan
Briody                                             From...March 29, 1999
Web posted at: 3:35 p.m. EST (2035 GMT)

(IDG) -- Network Associates has discovered an e-mail virus similar
to              the Melissa virus that company officials said they
believe is even                more dangerous than its predecessor. 

Dubbed Papa, the new virus is an Excel virus that sends itself in
the                  same manner as Melissa, but sends itself to the
first 60 people in a user's address book compared to 50 with Melissa. In
addition, Papa sends an e-mail out every time the virus is activated.
Melissa only sends the                   message the first time it is
opened. 

This time the subject line claims the message is from "all.net and Fred
Cohen." The body of the e-mail, which contains an attached document
titled "path.xls," then instructs the user not to disable the macros,
which is how the virus is activated. 

According to Sal Viveros, group marketing manager for total virus
defense at Network Associates, the most disruptive aspect of Papa is the
fact that it "pings" an as-yet-undetermined external site to make sure
there is an available Internet connection. The practice of pinging is
not unusual, but Papa pings so many times that it brings the network
down. 

The biggest concern from a corporate security standpoint is that any
document infected with the virus and then e-mailed to another party is
distributed in the same way the Melissa virus is, leaving
companies        vulnerable to having confidential documents distributed
unknowingly. 

Viveros believes Papa was written by a different person than the author
of Melissa, but that it uses the original virus as a road map. This
practice of using similar mechanisms to deliver more destructive
payloads is not unusual, noted Viveros, which could mean a string of
such similar viruses could be on the way. Variants, however, should be
less disruptive because virus-detection vendors know what they
are              looking for. Network Associates expects to post
software for detection and cleaning of the Papa virus by Monday
afternoon. 

The Melissa virus first sprang up in countless e-mail inboxes around
the                   world on Friday, replicating itself to end-user
address books and sending an exhaustive list of pornographic Web sites
to everyone therein. 

According to Viveros, Melissa is the widest spreading virus he has
ever                   seen, hitting approximately 80 percent of Network
Associates' major                   customers, which amounts to almost
100 companies. A significant number of those were forced to take their
e-mail systems down. 

The Melissa virus hampered -- and in some cases entirely shut down
--                   e-mail systems for companies the world over.
Microsoft, for example, put a halt to all outgoing e-mails throughout
the company on Friday to guard                   against spreading the
virus. 

At risk are Microsoft Exchange Servers running Microsoft Outlook. With
an ever-changing subject heading of "Important Message From
[end-user                   name]," the attachment to the e-mail is a
document entitled "list.doc" with a body of text stating, "Here is that
document you asked for ... don't show anyone else ;-)." 

Upon opening the attachment, Microsoft Word 97 will ask if you want
to                   disable the macros, to which you should reply yes,
or the e-mail will                   automatically be sent to the first
fifty names on each company mailing list. 

"If you don't disable the macros, the virus resends itself to everyone
in [your] address list," said John Berard, a spokesman for Fleishman
Hillard, which was infected by the virus and inadvertently spread it
around. 

In addition, the virus automatically changes the security settings of
an                   infected system to the lowest possible setting, a
slick move that has IT                   managers wondering if they will
have to manually reset every infected PC in their enterprise. 

Dan Schrader, director of product marketing at anti-virus software
maker                   Trend Micro, said the virus is easy to detect
and not destructive in ature. But it can cause serious bandwidth
constraints and contains several quirky characteristics. 

One of those is a hidden message from the popular TV series
"The            Simpsons" that is inserted into any open documents
whenever the date and                  the time - 2:29 on the 29th for
instance - match. 

A fix for the Melissa virus is now available from most major
anti-virus                  software vendors.