IP: More on "Epidemic virus infects corporate e-mail"

[Dave Farber <farber@cis.upenn.edu>]

I am sending out the full text of this due to its criticality for many. djf

>From: jspira@basex.com
>To: farber@cis.upenn.edu
>Date: Sat, 27 Mar 1999 15:26:35 -0500
>Subject: More on "Epidemic virus infects corporate e-mail"
>
>Dave,
>
>The implications of this, esp. the concept of MS' and Intel's networks
>being brought to their knees, are very troublesome, to say the very least.
>
>Below is very good coverage of this by PC Week.
>
>/s/ Jonathan
>
>Jonathan B Spira                    E-mail jspira@basex.com
>The Basex Group, Inc                URL http://www.basex.com
>15 E 26th Street                    Tel +1 (212) 725-2600 x113
>New York, NY 10010 USA              Facsimile +1 (212) 532-5406
>
>
>
>
>
>
>
>To:   InfoBasex
>
>
>By (Document link not converted)Mary Jo Foley, (Document link not
>converted)>converted)Sm@rt Reseller, and (Document link not converted)Lisa M.  Bowman
>
>A number of Microsoft Corp.  Outlook/Exchange customers -- including
>Microsoft itself, as well as Intel Corp.  -- are being hit hard by a macro
>virus that is replicating infected pornography-related information
>throughout corporate email systems.
>
>The virus, which was identified by Network Associates Inc.  (Nasdaq:
>(Document link not converted)NETA) as 'Melissa,' originated in Western
>Europe and was first discovered on the alt.sex newsgroup.  Computer
>security experts said the virus wreaked havoc with corporate e-mail as it
>sped across the Internet on Friday.
>
>"The proliferation of this virus is something we've never seen before,"
>said Srivats Sampath, a general manager at Network Associates.  He said
>that 60,000 people at one company had been affected.  He refused to
>identify the company.
>
>"Because there's so much e-mail passing through a server, it's basically
>taking down the servers," Sampath said.  He added that twenty large
>companies were affected by late afternoon -- including as many as 60,000 in
>one company.
>
>Microsoft e-mail suspended
>At Microsoft (Nasdaq:(Document link not converted)MSFT), the company
>suspended all incoming and outgoing Internet mail Friday.
>
>"We're a victim, like any other company on the outside," of this virus,
>said a Microsoft spokesman.
>
>The spokesman said Microsoft's product support division has been in contact
>all day via e-mail and phone with Microsoft's customers and partners,
>alerting them about the virus.
>
>"We made an IT (information technology) decision in the early afternoon and
>agreed it was pro-customer and pro-partner to shut down our Internet mail
>portion.  As soon as we feel tight on this, probably in the next few hours,
>we will turn this back on and process all the mail in the queue."
>
>At least one division of Intel Corp.  (Nasdaq:(Document link not converted)
>INTC) also reported problems resulting from the macro virus.  A public
>relations spokesperson acknowledged that some of the company's e-mail
>servers had gone down as a result.
>
>A representative at Waggener Edstrom, Microsoft's public relations agency,
>which also was hit by the virus, according to several sources, acknowledged
>problems caused by a 'malicious macro virus.'
>
>Melissa's sophisticated bite
>The Melissa virus propagates via e-mail.  Attached to the e-mail is a Word
>file that, if opened, launches a macro that replicates a message to the
>first 50 names in the recipient's Outlook address book.  The subject line
>reads: "important message from," followed by a user name.  The body
>consists of a text message that says, "Here is that document you asked
>for...  don't show anyone else;-)." The infected documents reportedly
>contain porn Web site information.
>
>The virus specifically affects Outlook and does not trigger the multiple
>e-mails on other messaging platforms, such as Lotus Notes.  However, people
>using e-mail software other than Outlook may be able to spread affected
>files by sending them to Outlook users, experts said.
>
>McAfee added the virus to its virus database Friday.  More information on
>the virus is can be found on (Document link not converted)McAfee's site.
>
>"It sounds pretty sophisticated," said Peter Deegan of (Document link not
>converted)Woody's Office Watch, who'd been notified of the virus but hadn't
>seen it.
>
>He said the virus sounded unusual because of its effect on mail servers.
>Usually, such viruses attack individual machines, but this one apparently
>can overload mail services by sending out repeated messages.
>
>People cannot get the virus by merely opening up a message, only by opening
>the attached document.  "Always be careful of anything that arrives by
>e-mail," he said.
>
>The virus also appears to turn off Office's macro protection, which could
>leave users more vulnerable to future viruses.  After cleansing their
>machines of the virus, those affected might need to reactivate the macro
>protection.
>
>In another twist, the virus causes a specific phrase to pop up when the
>time of day, matches the date (for example, at 3:26 on March 26).  The
>phrase reads: "Twenty-two points plus triple word score, plus 50 points for
>using all my letters.  Game's over.  I'm out of here."
>
>Right now, that feature is benign, but security experts say it could be
>used to delete files if a malicious hacker creates another version of the
>virus.
>
>Word 97, Word 2000 vulnerability
>Antivirus software vendor TrendMicro noted on its (Document link not
>converted)Web site that the so-called W97M_Melissa virus can attack via
>both Word 97 and Word 2000 documents.  If the virus attacks via Word 2000,
>says TrendMicro, "it will lower the security setting to the lowest level by
>modifying the registry and will disable the Word menu commands
>(MacroSecurity) which allows the user to reinstate security settings."
>
>"A minimum of 20 major companies been infected.  This is spreading faster
>than any virus we've seen before, because we've only seen a few
>email-activated viruses in the wild before this," noted Dan Schrader,
>director of product marketing.
>
>Schrader says the best way for companies to stamp out Melissa is to run
>virus protection software at the server, not the desktop, level.
>TrendMicro says it already updated all of its products to detect this virus
>as of today.  The company also is offering a (Document link not converted)
>free service on its Web site, allowing administrators and customers to scan
>their machines for any virus, including Melissa.
>
>Additional reporting by ZDNN's Charles Cooper and >Additional reporting by ZDNN's Charles Cooper and Sm@rt Reseller's Deborah
>Gage.
>
>
>
>