Disruptive E-Mail Virus Whips Around Internet
The most prolific computer virus in memory spread swiftly Monday as computer security experts around the globe worked to contain a new software contagion that exploits a soft spot between modern technology and human gullibility.
By late Monday, the virus known as Melissa had infected at least 100,000 computers at hundreds of organizations, according to reports compiled by the Computer Emergency Response Team, a federally funded security group at Carnegie-Mellon University. Experts at the institution said the number of unreported infections is probably considerably higher.
Secretly stowed in files attached to e-mail, the virus replicates itself by firing off copies to up to 50 new targets combed from the infected user’s e-mail address book. More disruptive than destructive, the virus typically multiplies without the user’s knowledge, and infects computers that use recent versions of Microsoft Corp.’s Word software and its Outlook e-mail program.
Giant companies from Lucent Technologies to Lockheed-Martin Corp. were forced to shut down their e-mail systems temporarily to stamp out the virus, which was first reported last Friday but which gained new momentum on Monday as millions of computer users returned to work and booted up their machines. Even such high-tech giants as Microsoft Corp. and Intel Corp. were affected.
“It appears to be having a bigger impact today than over the weekend,” said Shawn Hernan, leader of the vulnerability-handling team at CERT. “We’re a little unsure as to how this fire will be put out.”
Hernan and other experts said that Melissa--so dubbed because the name appears in its source code--is the most powerful example to date of how quickly corrupted software can spread in the Internet age. E-mail is a particularly effective vehicle for viruses because it is by far the Net’s most popular application.
FBI officials said they consider Melissa a serious threat and noted that willfully unleashing a computer virus is a felony punishable by up to 10 years in prison and a $250,000 fine.
“We are treating this with the utmost seriousness and will continue to investigate until we get to the origin,” Michael A. Vatis, head of the FBI’s National Infrastructure Protection Center, said at a news briefing in Washington.
Several copycat variants of the virus surfaced Monday, including one that uses attached Microsoft Excel spreadsheet files. Meanwhile, thousands of computer users downloaded digital vaccinations available at the Web sites of leading anti-virus companies, such as Network Associates and Symantec Corp.
Experts said that, in most cases, damage to infected computers is minimal because the virus is not programmed to harm PCs as much as it is to breed and multiply.
Still, the virus caused headaches for everyone, from isolated Internet users to Fortune 500 companies.
Lucent Blocks E-Mail to Combat Virus
Lucent Technologies, a telephone-equipment company, was among the big companies hit worst by the virus. After two employees received infected e-mail Friday, the company quickly blocked incoming and outgoing e-mail, electronically stranding as many as two-thirds of its 143,000 employees.
By late Monday, Lucent’s computers with the Microsoft mail applications were still disabled, although some laboratories with Unix-based operating systems and mail were allowed to communicate.
“It’s the worst virus I’ve seen so far, and I’ve been here a lot of years,” said John Skalko, a company spokesman who resorted to faxing a news release about a $1-billion contract instead of e-mailing it.
One of the first signs of infection at many companies was a surge in the volume of e-mail coursing through data lines because the virus spreads by triggering mass e-mailings from infected machines.
After Lockheed-Martin discovered a bulge in its e-mail late Friday, the company blocked messages and continued to be shut off from outside networks late Monday, spokeswoman Elaine Hinsdale said.
Unlike countless other viruses that are discovered each week and stamped out before they spread, Melissa multiplied faster than computer security forces could keep up with it.
Experts said that is largely because Melissa was cleverly crafted to prey on both technological and human vulnerabilities.
The virus, which experts believe originated in Europe, comes disguised as an intriguing e-mail sent by a friend or associate. “Here’s that document you asked for,” the infected file reads, “don’t show anyone else ;-)”.
The virus is harbored in files that are attached to e-mail and opened using Microsoft Word. Once a user activates the attachment, the virus essentially directs Outlook, Microsoft’s e-mail program, to make copies of the infected file and pass it on to the first 50 entries in the unsuspecting computer user’s e-mail address book.
“There’s no rocket science in the spread of this virus,” said Srivats Sampath, a vice president at Santa Clara-based Network Associates. “It plays on users’ psyches. It teases you into opening the file, and the minute you do, the damage is done.”
Sensitive Files Can Be Dispersed Across Net
The text of the infected attachment is a list of pornographic Web sites. But under certain conditions the virus can also send out copies of Microsoft Word documents opened after a computer has been infected, potentially dispersing computer users’ sensitive files across the Net.
Another quirk of the virus causes it to spit out a stream of strange words in the middle of an open document when the number of minutes past the hour equals the day of the month.
Such programming flourishes are typical of the virus writers who occupy the computer underground, competing for notoriety among their largely adolescent peers.
Experts said they expect Melissa to be contained by the end of the week, as anti-virus companies distribute upgrades that are capable of detecting and removing both Melissa and related viruses.
Security experts urged users not to open attached files that seem suspicious, and to disable the “macro” function in Microsoft Word. Detailed information about the virus and ways to guard against it are available at https://www.cert.org/advisories
*
Times staff writer Eric Lichtblau contributed to this story.
