A new copycat virus, which is similar to the widespread "Melissa" virus, has the potential to bring down entire networks instead of simply jamming e-mail servers, an antivirus software vendor said during a press conference today.
According Sal Viveros, group marketing manager for total virus defense at Network Associates, the new copycat virus, called Papa, is delivered via mailed Microsoft Excel documents, instead of the Word documents, which carry the Melissa virus.
The Papa virus replicates in the same manner as Melissa. But instead of mailing itself just once to the first 50 people on a person's global e-mail address book, it mails to the first 60 people on multiple address books every time the virus is activated.
It also sends pings, or network queries, to an external site, which can crash corporate networks by eating up large amounts of bandwidth. Virus experts still don't know how the site is selected or whether it is one or several different sites.
According to Viveros, the Papa virus originally appeared on the alt.bondage newsgroup. The Melissa virus, which first appeared on another adult-oriented newsgroup, claimed to offer a list of online pornography sites and passwords for how to access those sites. Viveros said he didn't believe the Papa virus was written by the same person as the Melissa virus. He said it just uses the same mechanism to replicate.
"Hackers use existing viruses as a road map and create more destructive payloads for them," Viveros said. "Now that [the Melissa virus] is out there and successful, we expect to see more varieties on the near horizon."
Shawn Hernan, leader of the vulnerability handling team of the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, said an antivirus tool vendor predicted that 20 to 30 copycats of the Melissa virus will appear by the end of the week.
Like the Melissa virus, the Papa virus, so named for the use of the word in the virus' code, disables macro virus warning features in the documents that are infected. The Melissa virus attacks the registry for Word 97 and changes security settings, which prevents the Word macro warning from appearing. Viveros said it is the first virus to use that disablement strategy.
Viveros noted that the Melissa virus has spread more quickly than any other virus in history partly because infected documents seem to be coming from a known source on victims' e-mail lists. He recommended that users not use macros and not open anything on the desktop that comes through as a mail attachment unless they are sure where it comes from. He also suggested that companies encrypt documents to make sure confidential company information isn't revealed.
Viveros said 80%, or a total of 120, of Security Dynamic's major customers have been affected by the Melissa virus and that a significant number have had to disable their mail servers. He said his company was the first to discover the virus on Friday and alerted the FBI, which is investigating the source of the virus.
The fact that the Melissa virus emerged on a Friday gave corporate users a head start in warning employees by Monday morning. Viveros said some corporate users took down their entire e-mail system to prevent the virus from spreading. "By having them down, there is a lot of communication that is not happening, and it really has wreaked a lot of havoc," Viveros said.
Users of Netscape Communications Corp. browsers can get macro warnings about both viruses if they have security features engaged, but Viveros said he isn't sure if Internet Explorer has the same feature.
"This virus just re-emphasises the fact that companies need an infrastructure in place to deploy new virus updates and upgrades, he said.
Several security analysts have noted that the Melissa virus has a feature in which when the time matches the date, such as 3:31 today, it will insert into any open Word documents text from a Simpson's television episode that aired this past week. Viveros said there haven't yet been any reports of documents being compromised in this way.