[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Melissa mutates, becomes resistant to patch



PureBytes Links

Trading Reference Links

Melissa mutates, becomes resistant to patch 

March 30, 1999 Web posted at: 11:32 a.m. EST (1632 GMT)
by Kathleen Ohlson and Ann Harrison 

(IDG) -- As corporate customers scramble to protect themselves from the
"Melissa" virus, it has begun to mutate and defeat a widely used patch,
one industry watcher said. 

The new, quick-spreading virus called Melissa has been wreaking havoc
since Friday afternoon, the Computer Emergency Response Team (CERT) at
Carnegie Mellon University in Pittsburgh reported. 

In its early going, the virus could be known by its distinctive subject
header, which read "Important Message From ..." But now a variant of the
virus leaves the subject line blank, according to Dan Schrader, director
of product marketing at Trend Micro Inc., a Cupertino, Calif., developer
of virus protection tools. Schrader said the patch, issued
by                  www.sendmail.com, "very quickly becomes invalid for
companies depending on that filtering technology." 

The variant, called W97M_MELISSA.A, keeps the sendmail patch from
detecting,                 blocking or removing the mutated virus.
Schrader said he expects to see more new              versions of the
Melissa virus appear to corrupt mail files in any environment. He
suggested that companies contact their antivirus vendors to make sure
their tools              can scan for the Melissa variant. 

Melissa has affected hundreds of sites and approximately 100,000
employees so far,        said Shawn Hernan, leader of the vulnerability
handling team at CERT. Hernan declined to identify the companies
affected by Melissa. "We're not sure if this is the entire thing or just
the tip of the iceberg," Hernan said. 

Schrader noted that within six hours of the posting of the virus, tens
of thousands of corporate users were unable to access their mail
servers. Others shut down their mail systems to keep clients and
partners from being affected. 

"Nobody wants the liability of spreading viruses to customers," said
Schrader, who noted that Intel Corp. was one company that was forced to
shut down its mail services. In fact, just today, employees were
instructed on how to validate the removal of Melissa from their systems,
said Michael Sullivan, an Intel spokesman. 

Schrader said studies have shown that a virus affecting 25 systems costs
$8,000 to clean up. He said he couldn't calculate the cost of cleaning
up the Melissa virus and its variants. 

Schrader said an estimated 20 million Exchange seats and 30 million
Lotus Notes mail systems are vulnerable to the virus or its variants. He
said the most common distribution vector is via mail from large
companies with international branches. Many overseas companies,
especially in financial services, reported being affected, he said. The
virus is most prevalent in the U.S., partly because Asian companies hit
earlier had more time to respond. 

Directed at users of Microsoft Word 97 and Word 2000, Melissa arrives
innocently enough and can appear as an e-mail attachment sent from a
boss, fellow employee or friend. The message's subject header reads
"Important Message From," and the body begins "Here is that document you
asked for ... don't show anyone else ;-)" with a document of
pornographic Web sites named "list.doc," CERT said. 

Once the .doc file is opened with either Word 97 or Word 2000, the virus
is immediately executed if macros are enabled, Hernan said. It modifies
the Word setting by infecting the warning template and the current open
file, he said. Melissa sends e-mail messages to the first 50 addresses
of a user's Microsoft Outlook address book, potentially "swamping" a
company's server, Hernan said. 

In addition, if the minute of the hour matches the date (for example,
3:29 p.m. on March 29), Melissa will insert a Bart Simpson quote into
the current document: "Twenty-two points, plus triple-word score, plus
fifty points for using all my letters. Game's over. I'm outta here." 

As a result of Melissa, one unidentified company shut down its mail
server but is having a hard time getting back online with all of the
e-mail, Hernan said. The extent of the damage is unknown, he said. In
some cases, the aftereffects of Internet vulnerabilities have continued
for two years. 

  One security watcher saw a long-term effect of the Melissa virus. What
is interesting about this virus is that "it is helping to spread
itself," said Professor Gene Spafford, director at the Center for
Education and Research in Information Assurance and Security at Purdue
University in West Lafayette, Ind. If machines don't get cleaned up
properly, "it will turn off protection from future viruses." This is
"just the beginning," Spafford said. 

Comparing Melissa to the Morris worm, Ira Winkler, president of Internet
Security Advisers Group, a consultancy in Saverna Park, Md., said the
blame for viruses is going to the wrong party. "We live in the type of
world that we put the blame on the vendors for not doing a better job"
in protecting  corporate systems from viruses, he said. The
responsibility should go on the individuals who are creating these
viruses, Winkler said.