Melissa's mayhem

Kurt Kleiner and Matt Walker

A NEW CHAPTER in the history of computer viruses has opened. For the
first time, a rogue program has taken full advantage of the Internet to
infect tens of thousands of computers worldwide in just a few days.

[First time? Morris' worm, ADM Worm .. two examples of this previous
 to Melissa. There were also other popular viruses that easily hit
 10,000 machines.]

The virus, called Melissa, has already spawned several "copycat"
programs. Some experts fear that conventional countermeasures won't be
able to blunt the threat posed by this new breed. "I would not be
surprised if in a couple of months they figure out how to make a virus
that propagates not in days, but in hours," says Steve White of IBM's
Thomas J. Watson Research Center in Hawthorne, New York.

[So this 'expert' on viruses thinks there are no viruses that propogate
 in hours?!]

Melissa is a "macro" virus. These cause a disproportionate amount of
havoc (see Figure) and exist as small programs, called macros, that can
be added to documents created by software such as Word, Microsoft's
word-processing package. As more than 100 000 computer users have already
found to their cost, Melissa arrives by e-mail hidden within a Word file
that contains a list of pornographic websites. If the recipient opens the
document without disabling the macro function, the virus alters Word's
security settings so that warnings about disabling macros won't be
displayed in future--a trick that renders the user vulnerable to further

Melissa then looks for Microsoft's Outlook organiser program and sends
copies of itself to the first 50 contacts in the Outlook e-mail address
book. At various times, it deposits a quote from The Simpsons TV show
into Word documents.

Macro viruses that propagate by e-mail have been seen before (This Week,
26 April 1997, p 7). But Melissa is the first to use a popular e-mail
program to spread like wildfire. In doing so last week, it clogged major
e-mail gateways. Systems hit by the virus reportedly included NATO
computers involved in the war against Yugoslavia.

A New Jersey man, David Smith, has already been charged with releasing
Melissa. But hard on its heels has come a virus called Papa, which lurks
in a Microsoft Excel spreadsheet file. It works in much the same way,
except it also repeatedly tries to contact certain Internet addresses,
effectively disabling the user's Net connection. According to Nick
FitzGerald, an antivirus consultant based in Abingdon, Oxfordshire, there
are two further copycats--Marauder and Syndicate.

Companies specialising in antivirus programs have written software
patches that disable Melissa and Papa, and made them available on their
websites for downloading. But White and his colleagues at IBM argue that
this approach is too slow to deal with fast-reproducing viruses.

IBM has pioneered the Digital Immune System, which it hopes to release in
about a year. This will connect customers over the Net with a central
computer. When a customer's computer detects an anomaly that might be a
new virus, it will automatically ship the code to the central computer,
which will figure out a way to detect it, then send the information to
everyone on the network (see "The Internet strikes back", New Scientist,
24 May 1997, p 35).

[This is a privacy concern and a half. Your computer will now begin to
 send arbitrary documents to IBM, possibly withuot censoring content,
 and possibly without your knowledge.]

Some antivirus experts remain sceptical about the Digital Immune System's
chances of success. But if it does work as advertised, it should be more
than a match for Melissa and its imitators.

"Melissa and Papa are exactly the kind of things that would play to the
immune system's strengths," says FitzGerald. "It could detect and deal
with fast-spreading network threats in real time."

>From New Scientist, 10 April 1999