Please forgive the cross-posting. --JM
---FWD from COMMUNET---
Copycat virus follows quickly on Melissa's heels=20
By Michael Lattig and Dan Briody
InfoWorld Electric
Posted at 11:30 AM PT, Mar 29, 1999=20
http://www.idg.net/idg_frames/english/content.cgi?allowFeedback=false&
referer=&outside_source=newsletter&url=http%3a%2f%2fwww%2einfoworld%2ecom%2fcgi-bin%2fdisplayStory%2epl%3f990326%2ewcvirus%2ehtm&doc_id=108211
Network Associates has discovered an e-mail virus similar to the
Melissa virus that company officials said they believe is even more
dangerous than its predecessor.
Dubbed Papa, the new virus is an Excel virus that sends itself in
the same manner as Melissa, but sends itself to the first 60 people
in a user's address book compared to 50 with Melissa. In addition,
Papa sends an e-mail out every time the virus is activated. Melissa
only sends the message the first time it is opened.
This time the subject line claims the message is from "all.net and
Fred Cohen." The body of the e-mail, which contains an attached
document titled "path.xls," then instructs the user not to disable
the macros, which is how the virus is activated.
According to Sal Viveros, group marketing manager for total virus
defense at Network Associates, the most disruptive aspect of Papa is
the fact that it "pings" an as-yet-undetermined external site to
make sure there is an available Internet connection. The practice of
pinging is not unusual, but Papa pings so many times that it brings
the network down.
The biggest concern from a corporate security standpoint is that any
document infected with the virus and then e-mailed to another party
is distributed in the same way the Melissa virus is, leaving
companies vulnerable to having confidential documents distributed
unknowingly.
Viveros believes Papa was written by a different person than the
author of Melissa, but that it uses the original virus as a road
map. This practice of using similar mechanisms to deliver more
destructive payloads is not unusual, noted Viveros, which could mean
a string of such similar viruses could be on the way. Variants,
however, should be less disruptive because virus-detection vendors
know what they are looking for. Network Associates expects to post
software for detection and cleaning of the Papa virus by Monday
afternoon.
The Melissa virus first sprang up in countless e-mail inboxes around
the world on Friday, replicating itself to end-user address books
and sending an exhaustive list of pornographic Web sites to everyone
therein.
According to Viveros, Melissa is the widest spreading virus he has
ever seen, hitting approximately 80 percent of Network Associates'
major customers, which amounts to almost 100 companies. A
significant number of those were forced to take their e-mail systems
down.
The Melissa virus hampered -- and in some cases entirely shut down
-- e-mail systems for companies the world over. Microsoft, for
example, put a halt to all outgoing e-mails throughout the company on
Friday to guard against spreading the virus.
"Viruses are a serious issue. We and our partners had to respond
pretty quickly last week and now have clear guidelines on how to use
the [Exchange and Outlook] software to block the message and stop it
from getting around. That message [of a fix] is getting out, and the
virus has been addressed," said Bill Gates, CEO of Microsoft, in
Redmond, Wash., on Monday.
"These things are very rare. The incidence is going down, but
there's work for us," Gates said.
At risk are Microsoft Exchange Servers running Microsoft Outlook.
With an ever-changing subject heading of "Important Message From
[end-user name]," the attachment to the e-mail is a document entitled
"list.doc" with a body of text stating, "Here is that document you
asked for ... don't show anyone else ;-)."
Upon opening the attachment, Microsoft Word 97 will ask if you want
to disable the macros, to which you should reply yes, or the e-mail
will automatically be sent to the first fifty names on each company
mailing list.
"If you don't disable the macros, the virus resends itself to
everyone in [your] address list," said John Berard, a spokesman for
Fleishman Hillard, which was infected by the virus and inadvertently
spread it around.
In addition, the virus automatically changes the security settings
of an infected system to the lowest possible setting, a slick move
that has IT managers wondering if they will have to manually reset
every infected PC in their enterprise.
Dan Schrader, director of product marketing at anti-virus software
maker Trend Micro, said the virus is easy to detect and not
destructive in nature. But it can cause serious bandwidth
constraints and contains several quirky characteristics.
One of those is a hidden message from the popular TV series "The
Simpsons" that is inserted into any open documents whenever the date
and the time - 2:29 on the 29th for instance - match.
A fix for the Melissa virus is now available from most major
anti-virus software vendors.
-----------
Note from JM:
This just in regarding Melissa--
>For Microsoft's info and patch:
> http://www.microsoft.com/security/bulletins/ms99-002.asp
To unsubscribe from SURVPC send a message to [EMAIL PROTECTED] with
unsubscribe SURVPC in the body of the message.
Also, trim this footer from any quoted replies.
