March 28, 1999

New Fast-Spreading Virus Takes Internet by Storm

By MATT RICHTEL

SAN FRANCISCO -- A rapidly spreading computer virus forced several large corporations to shut down their e-mail servers on Friday night as it rode the Internet on a global rampage, several leading network security companies reported Saturday.

The security companies said early reports of the virus, which is carried by e-mail, led them to believe that tens of thousands of home and business computers had been infected on Friday alone. The virus reproduces itself exponentially, they said, trying to use each infected message to send 50 more infected messages.

"This is the fastest-spreading virus we've seen," said Srivats Sampath, general manager for the McAfee Software division of Network Associates, a Santa Clara company that makes anti-virus software.

Network security experts said that the virus appeared to do no harm to the machines it infected and that individuals could easily disable it. But they said its purpose is to interrupt networks by replicating itself so rapidly that it overwhelms networks and e-mail servers, the electronic post offices that direct message traffic.

E-mail infected with the virus, which its creators call Melissa, has a topic line that begins, "Important Message From." Next is the sender's name, which is often the name of a friend, fellow worker or someone else known to the recipient.

The message within the e-mail is short and innocuous: "Here is that document you asked for ... don't show anyone else ;-)" Attached to it is a 40,000-byte, or 40K, Microsoft Word document named list.doc.

When the recipient opens list.doc, the Melissa virus automatically searches for an e-mail address book. It then sends a copy of itself -- the message and attachment -- from the recipient to the first 50 names it finds in the recipient's address book, which accounts for the rapid acceleration across the Internet.

The virus is known to spread rapidly with two popular e-mail programs, Microsoft Outlook and a slimmed-down version of the same program, Microsoft Outlook Express, which is part of the Windows 98 operating system and is often installed with Windows 95.

Network security administrators said they had seen no evidence that Melissa was able to open and use the address books in other e-mail programs, but they did not rule out the possibility that it could and would do so.

Several anti-virus software makers posted software on their Web sites that their customers can download to detect the virus-encoded message and refuse it.

A fix for the general public was available on www.sendmail.com, the Web site of Sendmail, the Emeryville company whose post-office software is often used to direct mail on the Internet.

Eric Allman, a co-founder of Sendmail, said he was concerned that the problem would worsen on Monday morning when employees find these messages in their e-mail in-boxes. "This will get into a lot of mail boxes and lay dormant," he said. "When employees come in at 8 a.m. and read these messages, it will cause an explosive growth of the virus."

Allman characterized the virus' virulence as "not the worst I'd seen, but it's pretty bad." He added, however, that it appeared to be the fastest-replicating virus he had seen.

Individuals can avoid contracting or spreading the virus simply by not opening the attachment that accompanies the e-mail. Opening the message alone will not cause the virus to copy the address list and send itself out.

Alternatively, users can disarm the virus by disabling the type of program that contains it -- "macros," which are small applications used to automate tasks in Microsoft Word documents. Disabling macros in Microsoft Word will render the virus ineffective.

Officials from Microsoft said they were not certain of the magnitude of the virus and emphasized that it could be easily disarmed. Adam Sohn, a company spokesman, said, "If folks are careful about what runs on their machine, they'll always be fine."

The virus overwhelmed employees on Friday at GCI Group, a public relations firm with offices throughout the United States.

One contract employee, who exchanges mail with a number of company employees, said she received more than 500 messages during the day.

"It hosed my entire day," said the employee, Leigh Anne Varney. "You can't print the words I used. I've never had this happen before."

This hardly is the first virus to attack and spread automatically via e-mail, but it is the first to move from being a controlled, essentially experimental form "into the wild," said Dan Schrader, director of product marketing for Trend Micro, an anti-virus software maker in Cupertino.

The rapid spread of the program was reminiscent of a 1988 program, known as a worm, written by Robert Tappan Morris, then a graduate student in computer science at Cornell University. Morris' program spread through the Internet with remarkable speed, ultimately disabling more than 6,000 computers.

However, the Internet was tiny in 1988 compared with the size of today's network. As a result the potential for the spread of the program is truly vast.

"We haven't seen anything impact this many people on the Internet in a long time," said Schrader. He said that three of his company's customers had temporarily shut down their e-mail servers to delete the infected mail.

Whoever wrote the virus also left the message "W97M -- Melissa." The note said the virus was created by "Kwyjibo," which Trend Micro officials speculated is a reference to the television show "The Simpsons." In an episode of the Simpsons titled "Bart the Genius," Bart Simpson wins a Scrabble game by using the "word" Kwyjibo.

The theory dovetails with a second impact of the virus: Once the virus has infected a computer, it will type a message on the screen when the time of day corresponds to the date (on March 26 it would be 3:26). The message reads: "Twenty-two points, plus triple-word-score, plus 50 points for using all my letters. Game's over. I'm outta here."

Related Sites These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.

CERT Coordination Center, Carnegie Mellon University: Melissa Macro Virus

Network Associates: Melissa Virus Alert

McAfee Online : Melissa Virus Profile

Trend Micro: Melissa Virus Alert

Sendmail

The Morris Internet Worm: Background

Matt Richtel at mrichtel@nytimes.com welcomes your comments and suggestions.

Tom Atlee * The Co-Intelligence Institute * Oakland, CA http://www.co-intelligence.org * http://www.co-intelligence.org/Y2K.html

-- Jean Wasp (jean@sonic.net), March 29, 1999