As corporate customers scramble to protect themselves from the "Melissa" virus, it has begun to mutate and defeat a widely used patch, one industry watcher said.
The new, quick-spreading virus called Melissa has been wreaking havoc since Friday afternoon, the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh reported.
In its early stages, the virus could be known by its distinctive subject header, which read "Important Message From ..."
But now a variant of the virus leaves the subject line blank, according to Dan Schrader, director of product marketing at Trend Micro, a Cupertino, California, developer of virus protection tools. Schrader said the patch, issued by http://www.sendmail.com, "very quickly becomes invalid for companies depending on that filtering technology".
The variant, called W97M_MELISSA.A, keeps the sendmail patch from detecting, blocking or removing the mutated virus. Schrader said he expects to see more new versions of the Melissa virus appear to corrupt mail files in any environment. He suggested that companies contact their antivirus vendors to make sure their tools can scan for the Melissa variant.
Melissa has affected 100 sites and about 50,000 employees so far, said Shawn Hernan, leader of the vulnerability handling team at CERT. Hernan declined to identify the companies affected by Melissa. "We're not sure if this is the entire thing or just the tip of the iceberg," Hernan said.
In Australia, the ABC reported yesterday the South Australian Government is one of the first local organisations to suffer from the Melissa virus.
Schrader noted that within six hours of the posting of the virus, tens of thousands of corporate users were unable to access their mail servers. Others shut down their mail systems to keep clients and partners from being affected.
"Nobody wants the liability of spreading viruses to customers," said Schrader, who noted that Intel was one company that was forced to shut down its mail services. In fact, employees were instructed on how to validate the removal of Melissa from their systems, said Michael Sullivan, an Intel spokesman.
Schrader said studies have shown that a virus affecting 25 systems costs $8000 to clean up. He said he couldn't calculate the cost of cleaning up the Melissa virus and its variants.
Schrader said an estimated 20 million Exchange seats and 30 million Lotus Notes mail systems are vulnerable to the virus or its variants. He said the most common distribution vector is via mail from large companies with international branches. Many overseas companies, especially in financial services, reported being affected, he said. The virus is most prevalent in the US, partly because Asian companies hit earlier had more time to respond.
Directed at users of Microsoft Word 97 and Word 2000, Melissa arrives innocently enough and can appear as an e-mail attachment sent from a boss, fellow employee or friend. The message's subject header reads "Important Message From," and the body begins "Here is that document you asked for ... don't show anyone else ;-)" with a document of pornographic Web sites named "list.doc", CERT said.
Once the .doc file is opened with either Word 97 or Word 2000, the virus is immediately executed if macros are enabled, Hernan said. It modifies the Word setting by infecting the warning template and the current open file, he said. Melissa sends e-mail messages to the first 50 addresses of a user's Microsoft Outlook address book, potentially "swamping" a company's server, Hernan said.
In addition, if the minute of the hour matches the date (for example, 3:29 p.m. on March 29), Melissa will insert a Bart Simpson quote into the current document: "Twenty-two points, plus triple-word score, plus 50 points for using all my letters. Game's over. I'm outta here."
As a result of Melissa, one unidentified company shut down its mail server but is having a hard time getting online with all of the e-mail, Hernan said. The extent of the damage is unknown, he said. In some cases, the after effects of Internet vulnerabilities have continued for two years.
One security watcher saw a long-term effect of the Melissa virus. What is interesting about this virus is that "it is helping to spread itself", said Professor Gene Spafford, director at the Center for Education and Research in Information Assurance and Security at Purdue University in West Lafayette, Ind. If machines don't get cleaned up properly, "it will turn off protection from future viruses." This is "just the beginning," Spafford said.
Comparing Melissa to the Morris worm, Ira Winkler, president of Internet Security Advisers Group, a consultancy in Saverna Park, Md, said the blame for viruses is going to the wrong party. "We live in the type of world that we put the blame on the vendors for not doing a better job" in protecting corporate systems from viruses, he said. The responsibility should go on the individuals who are creating these viruses, Winkler said.