Commentary on Melissa Virus
Visitors Since
October 15, 2001.
Past Articles
* Computer Security
* Foreign Espionage
* Industrial Espionage
* Personal Security
* Personnel Security
* Physical Security
* Security Management
Other Security Links
E-Mail Us
* ASIS
* NCMS
* VSAC
* Webmaster
We join with those who mourn the loss of life, the injuries, and the disruption of lives caused by the attacks against Washington, DC, and New York, N.Y. All those effected -- the brave people who helped in rescue efforts, those involved in America's response to terror and in the war with Iraq-- are in our thoughts and prayers.
W97M.Melissa Scares Me
by Bill Uttenweiler
The Aerospace Corporation
Vandenberg AFB, CA
“Melissa” hit my company on Friday, March 26, 1999. For those of you lucky enough to have been missed, Melissa was a Microsoft (MS) Word 97 Macro virus. Once the infected e-mail attachment was opened, the virus sent e-mail to the top 50 addresses in the user’s Outlook address book. In some circumstances, a comment from a Scrabble player was inserted into documents.
According to accounts published in Federal Computer Week newspaper, over 300 companies with 100,000 desktops were effected. At least one US Navy ship at sea received an infected message. Also, one computer on DOD’s Secret Internet Protocol Router Network had what was euphemistically termed an “occurrence.”
The Aerospace Corporation uses Lotus Notes, MS Exchange, and MS Mail. Although we didn’t further propagate it, our servers and desktops were shut down until new anti-virus software could be installed and offending messages could be deleted. Some of our folks were computerless for over a day and a half.
Melissa scares me. This virus, for which a New Jersey man has been arrested, didn’t erase hard drives or have other more vicious “payloads.” But Melissa scares me more than the other viruses and Word macro viruses that plagued us a couple of years ago because the “safe computing” gospel I’ve been preaching would have been useless in protecting my employees.
Here is that I’ve been telling them.
* Update your anti-virus software
at least every couple of months.
* Keep the “TSR” (terminate and
stay ready) utility of your anti-virus program running. If you don’t,
be sure to scan e-mail attachments before opening them.
* Only open e-mail attachments
if you know the sender.
Here why W97M.Melissa is so scary.
* It propagated VERY fast.
Usually viruses only spread as a person with an infected computer sends
e-mails to friends or coworkers. Melissa did this for the user.
Since Personal Distribution Groups are usually at the start of address
books, the first 50 addresses could easily be hundreds of people.
As a result, virtually no level of anti-virus update was any protection.
I had been to the Symantec web site on the day before the outbreak and
made sure we had “the very latest” set of virus definitions available.
Not good enough.
* Since the virus spread so fast
and virus definitions were unable to keep ahead of the outbreak, running
the “TSR” or scanning the attachments was pointless.
* People knew the sender of the
infected file. Normal suspicions were not operative until word of
the virus caught up with its spread.
* Although the original payload
clogged e-mail servers, the next version could be much more destructive.
Already the “Papa” Excel Macro virus, a Melissa variant, sends out “ping”
commands, enough of which could crash a server. Might the next version
override the File Allocation Table (FAT) or the entire hard drive with
random 1s and 0s?
Computer virus problems at my small office had become only a small part of my concerns over the last few years. W97M.Melissa makes me fear they’ve become prominent concerns again.
[Webmaster's note: This article was originally written in April 1999 for the VSAC News and NCMS Channel Islands News.]