IP: More on "Epidemic virus infects corporate e-mail"

[Dave Farber <farber () cis upenn edu>]

I am sending out the full text of this due to its criticality for many. djf

> From: jspira () basex com
> To: farber () cis upenn edu
> Date: Sat, 27 Mar 1999 15:26:35 -0500
> Subject: More on "Epidemic virus infects corporate e-mail"
>
> Dave,
>
> The implications of this, esp. the concept of MS' and Intel's networks
> being brought to their knees, are very troublesome, to say the very least.
>
> Below is very good coverage of this by PC Week.
>
> /s/ Jonathan
>
> Jonathan B Spira                    E-mail jspira () basex com
> The Basex Group, Inc                URL http://www.basex.com
> 15 E 26th Street                    Tel +1 (212) 725-2600 x113
> New York, NY 10010 USA              Facsimile +1 (212) 532-5406
>
>
>
>
>
>
>
> To:   InfoBasex
>
>
> By (Document link not converted)Mary Jo Foley, (Document link not
> converted)>converted)Sm@rt Reseller, and (Document link not converted)Lisa M.  Bowman
>
> A number of Microsoft Corp.  Outlook/Exchange customers -- including
> Microsoft itself, as well as Intel Corp.  -- are being hit hard by a macro
> virus that is replicating infected pornography-related information
> throughout corporate email systems.
>
> The virus, which was identified by Network Associates Inc.  (Nasdaq:
> (Document link not converted)NETA) as 'Melissa,' originated in Western
> Europe and was first discovered on the alt.sex newsgroup.  Computer
> security experts said the virus wreaked havoc with corporate e-mail as it
> sped across the Internet on Friday.
>
> "The proliferation of this virus is something we've never seen before,"
> said Srivats Sampath, a general manager at Network Associates.  He said
> that 60,000 people at one company had been affected.  He refused to
> identify the company.
>
> "Because there's so much e-mail passing through a server, it's basically
> taking down the servers," Sampath said.  He added that twenty large
> companies were affected by late afternoon -- including as many as 60,000 in
> one company.
>
> Microsoft e-mail suspended
> At Microsoft (Nasdaq:(Document link not converted)MSFT), the company
> suspended all incoming and outgoing Internet mail Friday.
>
> "We're a victim, like any other company on the outside," of this virus,
> said a Microsoft spokesman.
>
> The spokesman said Microsoft's product support division has been in contact
> all day via e-mail and phone with Microsoft's customers and partners,
> alerting them about the virus.
>
> "We made an IT (information technology) decision in the early afternoon and
> agreed it was pro-customer and pro-partner to shut down our Internet mail
> portion.  As soon as we feel tight on this, probably in the next few hours,
> we will turn this back on and process all the mail in the queue."
>
> At least one division of Intel Corp.  (Nasdaq:(Document link not converted)
> INTC) also reported problems resulting from the macro virus.  A public
> relations spokesperson acknowledged that some of the company's e-mail
> servers had gone down as a result.
>
> A representative at Waggener Edstrom, Microsoft's public relations agency,
> which also was hit by the virus, according to several sources, acknowledged
> problems caused by a 'malicious macro virus.'
>
> Melissa's sophisticated bite
> The Melissa virus propagates via e-mail.  Attached to the e-mail is a Word
> file that, if opened, launches a macro that replicates a message to the
> first 50 names in the recipient's Outlook address book.  The subject line
> reads: "important message from," followed by a user name.  The body
> consists of a text message that says, "Here is that document you asked
> for...  don't show anyone else;-)." The infected documents reportedly
> contain porn Web site information.
>
> The virus specifically affects Outlook and does not trigger the multiple
> e-mails on other messaging platforms, such as Lotus Notes.  However, people
> using e-mail software other than Outlook may be able to spread affected
> files by sending them to Outlook users, experts said.
>
> McAfee added the virus to its virus database Friday.  More information on
> the virus is can be found on (Document link not converted)McAfee's site.
>
> "It sounds pretty sophisticated," said Peter Deegan of (Document link not
> converted)Woody's Office Watch, who'd been notified of the virus but hadn't
> seen it.
>
> He said the virus sounded unusual because of its effect on mail servers.
> Usually, such viruses attack individual machines, but this one apparently
> can overload mail services by sending out repeated messages.
>
> People cannot get the virus by merely opening up a message, only by opening
> the attached document.  "Always be careful of anything that arrives by
> e-mail," he said.
>
> The virus also appears to turn off Office's macro protection, which could
> leave users more vulnerable to future viruses.  After cleansing their
> machines of the virus, those affected might need to reactivate the macro
> protection.
>
> In another twist, the virus causes a specific phrase to pop up when the
> time of day, matches the date (for example, at 3:26 on March 26).  The
> phrase reads: "Twenty-two points plus triple word score, plus 50 points for
> using all my letters.  Game's over.  I'm out of here."
>
> Right now, that feature is benign, but security experts say it could be
> used to delete files if a malicious hacker creates another version of the
> virus.
>
> Word 97, Word 2000 vulnerability
> Antivirus software vendor TrendMicro noted on its (Document link not
> converted)Web site that the so-called W97M_Melissa virus can attack via
> both Word 97 and Word 2000 documents.  If the virus attacks via Word 2000,
> says TrendMicro, "it will lower the security setting to the lowest level by
> modifying the registry and will disable the Word menu commands
> (MacroSecurity) which allows the user to reinstate security settings."
>
> "A minimum of 20 major companies been infected.  This is spreading faster
> than any virus we've seen before, because we've only seen a few
> email-activated viruses in the wild before this," noted Dan Schrader,
> director of product marketing.
>
> Schrader says the best way for companies to stamp out Melissa is to run
> virus protection software at the server, not the desktop, level.
> TrendMicro says it already updated all of its products to detect this virus
> as of today.  The company also is offering a (Document link not converted)
> free service on its Web site, allowing administrators and customers to scan
> their machines for any virus, including Melissa.
>
> Additional reporting by ZDNN's Charles Cooper and >Additional reporting by ZDNN's Charles Cooper and Sm@rt Reseller's 
> Deborah
> Gage.