Posted by Moderator 50 [mattk8876] on March 30, 1999 at 00:55:15 {.Oe37V.qjQCfsKE9siAIBdZEpMwzLY}:
From ComputerWorld
Deadly 'Melissa' copycat virus can
bring down networks
By Ann Harrison
A new copycat virus, which is similar
to the widespread
"Melissa" virus, has the potential to bring down entire
networks instead of simply jamming e-mail servers, an
antivirus software vendor said
during a press conference
today.
According Sal Viveros, group marketing manager for total
virus defense at Network Associates Inc. in Santa Clara,
Calif., the new copycat virus, called Papa, is delivered via
mailed Microsoft Excel documents, instead of the Word
documents, which carry the Melissa virus.
The Papa virus replicates in the same manner as Melissa.
But instead of mailing itself just once to the first 50 people
on a person's global e-mail address book, it mails to the
first
60 people on multiple address books every time the virus is
activated.
It also sends pings, or network queries, to an external site,
which can crash corporate networks by eating up large
amounts of bandwidth. Virus experts still don't know how
the site is selected or whether it is one or several different
sites.
According to Viveros, the Papa virus originally appeared on
the alt.bondage newsgroup. The Melissa virus, which first
appeared on another
adult-oriented newsgroup, claimed to
offer a list of online pornography sites and passwords for
how to access those sites. Viveros said he didn't believe the
Papa virus was written by the same person as the Melissa
virus. He said it just uses the same mechanism to replicate.
"Hackers use existing viruses as a road map and create
more destructive payloads for them," Viveros said. "Now
that [the Melissa virus] is out there and successful, we
expect to see more varieties on the near horizon."
Shawn Hernan, leader of the vulnerability handling team of
the Computer Emergency Response Team at Carnegie
Mellon University in Pittsburgh, today said an antivirus tool
vendor predicted that 20 to 30 copycats of the Melissa virus
will appear by the end of the week.
Like the Melissa virus, the Papa virus, so named for the use
of the word in the virus' code, disables macro virus warning
features in the documents that are infected. The Melissa
virus attacks the registry for Word 97 and changes
security
settings, which prevents the Word macro warning from
appearing. Viveros said it is the first virus to use that
disablement strategy.
Viveros noted that the Melissa virus has spread more
quickly than any other virus in history partly because
infected documents seem to be coming from a known
source on victims' e-mail lists. He recommended that users
not use macros and not open anything on the desktop that
comes through as a mail attachment unless they are sure
where it comes from. He also suggested that companies
encrypt documents to make sure confidential company
information isn't revealed.
Viveros said
80%, or a total of 120, of Security Dynamic's
major customers have been affected by the Melissa virus
and that a significant number have had to disable their mail
servers. He said his company was the first to discover the
virus on Friday and alerted the FBI, which is investigating
the source of the virus.
The fact that
the Melissa virus emerged on a Friday gave
corporate users a head start in warning employees by
Monday morning. Viveros said some corporate users took
down their
entire e-mail system to prevent the virus from
spreading. "By having them down, there is a lot of
communication that is not happening, and it really has
wreaked
a lot of havoc," Viveros said.
Users of Netscape Communications Corp. browsers can
get macro warnings about both viruses if they have security
features engaged,
but Viveros said he isn't sure if Internet
Explorer has the same feature.
"This virus just re-emphasizes the fact that companies
need an infrastructure in place
to deploy new virus updates
and upgrades, he said.
Several security analysts have noted that the Melissa virus
has a feature in which when the time matches the
date,
such as 3:29 today, it will insert into any open Word
documents text from a Simpson's television episode that
aired this past week. Viveros said there
haven't yet been
any reports of documents being compromised in this way.