As reported previously by CNET News.com,
once activated, W97Melissa, uses a combination of Microsoft
Word macros and Microsoft Outlook on a user's PC to send copies of a list of 80
pornographic Web sites. It works with either Word 97 or Word 2000, according to antivirus
companies TrendMicro, Symantec, and Network Associates.
The program is somewhat devious in that it sends itself from the email addresses of
people who are likely to be familiar contacts, arriving as email with the subject line
"Important message from..." followed by the sender's name. The body says
"Here is that document you asked for...don't show anyone else ;-)." The email
includes an attached Word file "list.doc," which includes the porn sites'
It could take more than several days to get the virus under control, experts said.
TrendMicro is warning that 20 to 30 variants of the virus could show up by tomorrow,
making filtering the virus at the email server level even more difficult.
"This has the potential to get worse before it gets better," said Jeff
Carpenter, team leader of Carnegie Mellon's Computer Emergency Response Team (CERT). As of
last night, more than 100 organizations had called CERT for help, he said. "We've
never seen something spread like this before."
Carpenter said companies are taking steps to combat the virus by posting warnings for
employees on their front-door entrances, rolling out new versions of antivirus packages to
protect PCs, advising employees not to open email attachments from users they do not know,
and disabling macros in Microsoft Word.
Over the weekend, CERT issued an advisory
detailing how users can combat Melissa.
Carpenter said companies such as law firms and accounting firms are particularly wary
about the risk, as confidential information from a word document can leak out via email as
a result of the virus.
The virus doesn't appear to cause any damage to infected computers except in rare cases
when the minutes of the current time match the date--for example at 4:26 p.m. on March 26.
In this instance, the virus will insert the Bart Simpson quotation, "Twenty-two
points, plus triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here," into a user's active document.
Because the virus sends itself to potentially thousands of contacts contained in a
user's address distribution list, however, there's a possibility that the virus could
overwhelm mail servers. Users won't get the virus by opening up a message, only by opening
the attached document. Experts are warning people not to open documents attached to
messages from people they don't know.
Even the FBI and the National Infrastructure
Protection Center have issued an unprecedented public warning about the virus. Michael
Vatis, director of the NIPC, stated in a memo, "Email users have the ability to
significantly affect the outcome of this incident. I urge [them] to exercise caution when
reading their email over the next few days and to bring unusual messages to the attention
of their system administrator."
The virus first was spotted last Friday, according to TrendMicro and others. It is
believed to have originated in Western Europe and was first discovered on the alt.sex
"We've been swamped all day with customers calling in with this," said Dan
director of product marketing at TrendMicro, when contacted last Friday. "It's
spreading extremely quickly. Twenty major corporate sites have called us."
Melissa is similar to an "autospam" virus called "Share Fun" that
emerged in March 1997, Schrader said, but that virus was buggy and not as effective. There
have been viruses that spread through the address books in the past, "but never this
effectively," Schrader said.
Network Associates estimated the virus has already hit hundreds of thousands of
computers. Microsoft shut down outbound mail so it
wouldn't impact customers or partners last Friday. However, after installing filtering
software the company resumed outbound mail service. Waggener Edstrom, Microsoft's
public relations agency, also got hit by Melissa, which brought the agency's email system
down. Intel was hit internally as well.
Twenty of Network Associate's largest clients were infected; one firm alone said it had
reached 60,000 computers. "The propagation rate has been alarming," a company
Tom Moske, a network administrator at USWeb/CKS,
ran into the virus this afternoon when the virus spread itself from people in his company
who had opened the attachment.
And he had cause to appreciate the devious nature of the virus, since it spread from
employees in his company to the business clients of USWeb/CKS.
"It's the most intrusive I've ever seen," he said. "This is worldwide
TrendMicro said the virus can be detected using its free Web-based "house call" service.
Because the virus spreads itself automatically, it could be termed a "worm."
The author apparently appreciated this, remarking in the virus code: "Worm? Macro
Virus? Word 97 Virus? Word 2000 Virus? You Decide!"