Copycat virus follows on Melissa's heels
- — 30 March, 1999 21:49
Network Associates has discovered an e-mail virus similar to the Melissa virus that company officials said they believe is even more dangerous than its predecessor.
Dubbed Papa, the new virus is an Excel virus that sends itself in the same manner as Melissa, but sends itself to the first 60 people in a user's address book compared to 50 with Melissa. In addition, Papa sends an e-mail out every time the virus is activated. Melissa only sends the message the first time it is opened.
This time the subject line claims the message is from "all.net and Fred Cohen." The body of the e-mail, which contains an attached document titled "path.xls," then instructs the user not to disable the macros, which is how the virus is activated.
According to Sal Viveros, group marketing manager for total virus defense at Network Associates, the most disruptive aspect of Papa is the fact that it "pings" an as-yet-undetermined external site to make sure there is an available Internet connection. The practice of pinging is not unusual, but Papa pings so many times that it brings the network down.
The biggest concern from a corporate security standpoint is that any document infected with the virus and then e-mailed to another party is distributed in the same way the Melissa virus is, leaving companies vulnerable to having confidential documents distributed unknowingly.
Viveros believes Papa was written by a different person than the author of Melissa, but that it uses the original virus as a road map. This practice of using similar mechanisms to deliver more destructive payloads is not unusual, noted Viveros, which could mean a string of such similar viruses could be on the way. Variants, however, should be less disruptive because virus-detection vendors know what they are looking for.
The Melissa virus first sprang up in countless e-mail inboxes around the world on Friday, replicating itself to end-user address books and sending an exhaustive list of pornographic Web sites to everyone therein.
According to Viveros, Melissa is the widest spreading virus he has ever seen, hitting approximately 80 per cent of Network Associates' major customers, which amounts to almost 100 companies. A significant number of those were forced to take their e-mail systems down.
The Melissa virus hampered -- and in some cases entirely shut down -- e-mail systems for companies the world over. Microsoft, for example, put a halt to all outgoing e-mails throughout the company on Friday to guard against spreading the virus.
Antivirus software companies have already posted tools on the Web to protect against Melissa.
Trend Micro has announced free Internet gateway software designed to block access to corporate networks by the Melissa virus. The software, called InterScan VirusWall, can be downloaded from http://www.antivirus.com and used for free for 30 days. The software is designed to be installable within 15 minutes and is available for a variety of platforms, including NT, Solaris and HP-UX, Trend Micro said.
DataFellows announced its F-Secure antivirus toolkit which scans for viruses and protects Windows software from Melissa. A free evaluation copy of F-Secure can be can be downloaded at http://www.DataFellows.com/Network Associates has announced four tools for helping companies protect against Melissa. Trial evaluations of its Exchange Scan On-Line for protecting Exchange Servers; GroupShield 4.0.2 for Exchange; WebShield Update; and Exchange Scan Commandline Scanner are available for download for free at http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp/ Command Software Systems, the developer of Command AntiVirus has also announced for its customers a free detection and disinfection solution for the Melissa virus, available from its Web site at http://www.commandcom.com. Command has also posted a fix for the Papa virus. A free "test drive" of Command AntiVirus which can be updated with the new virus fixes, is available from the site.