Normally, I don't post virus warnings to the list, as far too many of the
ones going around are modern versions of the "Good Times" virus hoax. In
this case, however, the following warning _is_ substantiated by both
Microsoft and Network Associates (makers of McAfee virus software), and
since it has a very great likelihood of reaching the list (see the
description below for reasons), it seemed a good idea to post the
information before it actually occurs.
This virus, which travels as an email attachment, is one more good reason
_not_ to post attachments with messages sent to the list. My personal
policy--which for safety should be the policy of _all_ list members--is to
delete unread _any_ message that arrives with an attachment from the list. I
may miss a few important posts that way, but if list members want those
posts read, they will follow convention and make them part of the _body_ of
the message, not attachments.
Again, the obvious. You _cannot_ be infected with a virus by reading a text
message in your email. If you don't open an attachment (delete it unread) or
run an attached program (including a Microsoft Word Macro in an attached
document file), your email is guaranteed not to infect your system. Even
picture files are safe (i.e., .jpg, .pic, .bmp, etc.) and cannot infect your
system.
Here's the official notice on the virus, including links to sites with
removal software:
=====================================
March 28, 1999
New Fast-Spreading Virus Takes Internet by Storm
By MATT RICHTEL
SAN FRANCISCO -- A rapidly spreading computer virus forced several large
corporations to shut down their e-mail servers on Friday night as it rode
the Internet on a global rampage, several leading network security companies
reported Saturday.
The security companies said early reports of the virus, which is carried by
e-mail, led them to believe that tens of thousands of home and business
computers had been infected on Friday alone. The virus reproduces itself
exponentially, they said, trying to use each infected message to send 50
more infected messages.
"This is the fastest-spreading virus we've seen," said Srivats Sampath,
general manager for the McAfee Software division of Network Associates, a
Santa Clara company that makes anti-virus software.
Network security experts said that the virus appeared to do no harm to the
machines it infected and that individuals could easily disable it. But they
said its purpose is to interrupt networks by replicating itself so rapidly
that it overwhelms networks and e-mail servers, the electronic post offices
that direct message traffic.
E-mail infected with the virus, which its creators call Melissa, has a topic
line that begins, "Important Message From." Next is the sender's name, which
is often the name of a friend, fellow worker or someone else known to the
recipient.
The message within the e-mail is short and innocuous: "Here is that document
you asked for ... don't show anyone else ;-)" Attached to it is a
40,000-byte, or 40K, Microsoft Word document named list.doc.
When the recipient opens list.doc, the Melissa virus automatically searches
for an e-mail address book. It then sends a copy of itself -- the message
and attachment -- from the recipient to the first 50 names it finds in the
recipient's address book, which accounts for the rapid acceleration across
the Internet.
The virus is known to spread rapidly with two popular e-mail programs,
Microsoft Outlook and a slimmed-down version of the same program, Microsoft
Outlook Express, which is part of the Windows 98 operating system and is
often installed with Windows 95.
Network security administrators said they had seen no evidence that Melissa
was able to open and use the address books in other e-mail programs, but
they did not rule out the possibility that it could and would do so.
Several anti-virus software makers posted software on their Web sites that
their customers can download to detect the virus-encoded message and refuse
it.
A fix for the general public was available on http://www.sendmail.com, the
Web site of Sendmail, the Emeryville company whose post-office software is
often used to direct mail on the Internet.
Eric Allman, a co-founder of Sendmail, said he was concerned that the
problem would worsen on Monday morning when employees find these messages in
their e-mail in-boxes. "This will get into a lot of mail boxes and lay
dormant," he said. "When employees come in at 8 a.m. and read these
messages, it will cause an explosive growth of the virus."
Allman characterized the virus' virulence as "not the worst I'd seen, but
it's pretty bad." He added, however, that it appeared to be the
fastest-replicating virus he had seen.
Individuals can avoid contracting or spreading the virus simply by not
opening the attachment that accompanies the e-mail. Opening the message
alone will not cause the virus to copy the address list and send itself out.
Alternatively, users can disarm the virus by disabling the type of program
that contains it -- "macros," which are small applications used to automate
tasks in Microsoft Word documents. Disabling macros in Microsoft Word will
render the virus ineffective.
Officials from Microsoft said they were not certain of the magnitude of the
virus and emphasized that it could be easily disarmed. Adam Sohn, a company
spokesman, said, "If folks are careful about what runs on their machine,
they'll always be fine."
The virus overwhelmed employees on Friday at GCI Group, a public relations
firm with offices throughout the United States.
One contract employee, who exchanges mail with a number of company
employees, said she received more than 500 messages during the day.
"It hosed my entire day," said the employee, Leigh Anne Varney. "You can't
print the words I used. I've never had this happen before."
This hardly is the first virus to attack and spread automatically via
e-mail, but it is the first to move from being a controlled, essentially
experimental form "into the wild," said Dan Schrader, director of product
marketing for Trend Micro, an anti-virus software maker in Cupertino.
The rapid spread of the program was reminiscent of a 1988 program, known as
a worm, written by Robert Tappan Morris, then a graduate student in computer
science at Cornell University. Morris' program spread through the Internet
with remarkable speed, ultimately disabling more than 6,000 computers.
However, the Internet was tiny in 1988 compared with the size of today's
network. As a result the potential for the spread of the program is truly
vast.
"We haven't seen anything impact this many people on the Internet in a long
time," said Schrader. He said that three of his company's customers had
temporarily shut down their e-mail servers to delete the infected mail.
Whoever wrote the virus also left the message "W97M -- Melissa." The note
said the virus was created by "Kwyjibo," which Trend Micro officials
speculated is a reference to the television show "The Simpsons." In an
episode of the Simpsons titled "Bart the Genius," Bart Simpson wins a
Scrabble game by using the "word" Kwyjibo.
The theory dovetails with a second impact of the virus: Once the virus has
infected a computer, it will type a message on the screen when the time of
day corresponds to the date (on March 26 it would be 3:26). The message
reads: "Twenty-two points, plus triple-word-score, plus 50 points for using
all my letters. Game's over. I'm outta here."
---The New York Times, March 28, 1999
