K o r o v a M u l t i m e d i a World Wide Web http://www.korova.com http://www.chromejob.com ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- 29 March 1999 Updated 31 March 1999 01 April 1999 02 April 1999 05 April 1999 01 August 2001 S t a r t B u t t o n Hoax du Jour: The Word Macro Spam 'Bot "Measure by measure, drop by drop And pound for pound we're taking stock Of all the treasures still unlocked…" Echo and the Bunnymen, "Never Stop" The dust has hardly settled on Network Associates' (NAI) charge onto the Internet, heralding danger to the entire 'Net with the WinNT worm, "Remote Explorer." (See my previous "Hoax du Jour," Remote Explorer of My Eye.) NAI was at it again last Friday, beating the bushes (and media reporters) with the hysterical news that a malicious "e-mail virus" was threatening the computing world. Epidemic virus infects corporate e-mail 'Melissa' virus wreaks havoc with company e-mail. March 26, 1999 6:07 PM PT; updated 6:42 PM PT "The proliferation of this virus is something we've never seen before," said Srivats Sampath, a general manager at Network Associates. He said that 60,000 people at one company had been affected. He refused to identify the company. Mary Jo Foley, Sm@rt Reseller Lisa M. Bowman, ZDNN The surprise is that the virus, "Melissa" ("W97m/Melissa"), is actually no hoax. In my opinion, it's an inspired Word template macro virus ... with an very clever payload. Last Friday, March 26, 1999, Network Associates (formerly McAfee Associates) informed MSNBC, ZDNET, and other media outlets of an e-mail attachment virus which was attaching Microsoft, Intel, and various other un-named corporations. Allegedly, Microsoft shut off its mail servers to prevent a complete "denial of service" shut down of their Exchange servers, and to halt further spread of the virus. Waggener Edstrom, Microsoft's PR firm, also experienced problems. TrendMicro and Symantec also jumped into the fray, confirming that numerous contacts had been experiencing overloads of Exchange mail servers. Email virus spreading rapidly March 26, 1999, 5:20 PM PT "We've been swamped all day with customers calling in with this," said Dan Schrader, director of product marketing at TrendMicro. "It's spreading extremely quickly. Twenty major corporate sites have called us." ... Network Associates estimated the virus has already hit hundreds of thousands of computers. By Stephen Shankland, staff writer, CNET News.com By Saturday, March 27, CERT (Carnegie Mellon's Department of Defense-funded computer security team, the Computer Emergency Response Team) had identified the virus, and developed a fix. CERT issued an advisory about the virus, only the second advisory the team has issued for a virus since it was founded ten years ago. Experts at Carnegie Mellon University warn of new computer virus March 27, 1999 4:58 PM EST CERT first heard of the virus Friday afternoon and its members worked through the night to analyze the virus and develop a fix, CERT manager Katherine Fithen said. "We're getting so many reports from across the world, that we know this is going to be a huge problem come Monday," Fithen said. The Associated Press, on CNN.com Katherine Fithen couldn't confirm in her interview if she knew of government sites that had been hit. No problem! The Department of Energy's CIAC bulletin about "Melissa" on Saturday openly acknowledged that several DOE sites had detected the virus on their systems. "A new Word 97 macro virus named W97M.Melissa has been detected at multiple DOE sites and is known to be spreading widely." CIAC Information Bulletin J-037: W97M.Melissa Word Macro Virus March 27,1999 9:00 AM PT Risk of infection is high. This virus is spreading widely within and without of the DOE complex. The risk of damage to your system is low because most users do not have macros in files and would be alerted by Word's macro detector. The risk of lost productivity and lost mail messages is high as mail servers may have to be shut down and purged of infected mail messages. WHERE DO YOU WANT TO GO TODAY? As documented in the CERT and CIAC alerts, "Melissa" isn't a vicious virus. In fact, other than it's highly unusual "payload," it's not nearly as destructive as other file attachment macro viruses and Trojan programs. What may not be made startingly clear in the frantic news reports, is that "Melissa" ONLY works in Word 97 or 2000. Systems WITHOUT Outlook may still be infected, but cannot automagically send the virus. "Melissa" doesn't exploit any new vulnerabilities. In fact, according to Stephen Shankland's article on CNET, "Melissa" is not unlike a buggy little virus called "Share Fun" that emerged in 1997. Alas, "Melissa" is far from buggy. Though Microsoft identified the security vulnerability in Word attachments sent via e-mail several months ago, apparently many sites have not implemented the free Word 97 Template Security Patch, WD97SP.EXE. This is what has allowed Melissa to run rampant among corporate sites that depend on the combination of Word, Outlook and Exchange servers. Based on a day's worth of crash course research, here's my summary of "Melissa's" modus operandi. The user receives an e-mail,usually from a known contact: SUBJ: Important Message From... Here is that document you asked for ... don't show anyone else ;-) The subject line, "Important message from..." ends with the sender's name. Pretty convincing, eh? The attached Word file, LIST.DOC in most instances, contains a list of pornographic Web sites, and the "Melissa" macro code. The macro attaches its Visual Basic for Applications (VBA) module to the NORMAL.DOT template, and then blocks access to Word's Tools | Macro toolbar [source: CIAC, WOODY'S OFFICE WATCH newsletter]. It then disables some Word settings that can further interfere with macro viruses, "Confirm conversions at open," "Macro virus protection," and "Prompt to save Normal template" [source: CIAC]. Now active on the system, "Melissa" searches the Registry for a key indicating that "Melissa" has visited before. Finding none, it adds one, "HKEY_Current_User\Software\Microsoft\Office\Melissa?" with the value "... by Kwyjibo." The macro then ascertains the user's name from Application.UserName, which users enter into Word's profile, and creates an e-mail message addressed to the first 50 contacts listed in the user's Outlook address book (NOT Outlook Express). With this information, it sends a copy of the message, now identified as "Important message from {Application.UserName}," with the Word document attached. A scary note from WOODY'S OFFICE WATCH newsletter (echoed in the CIAC bulletin): "Melissa" sends itself to 50 contacts from EACH of the address and contact lists you have access to in Outlook. Translation: your infection could result in 50, or 100, or 150, or 200 messages leaving with your name as the sender, depending on your Exchange server configuration. Eek! Finally, it infects NORMAL.DOT by attaching itself to either the Document_Open or Document_Close commands, so that it can infect every Word document that a user works on subsequently. Bonus payload: if the user happens to have a Word document open at a time when the hours and minutes are equivalent to the date (say, 9:01 on April 1), it will copy a Bart Simpson quote into the file: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Cute, eh? Points to be determined later: * At this date, Outlook Express and other mail readers ARE NOT VULNERABLE . * User intervention is REQUIRED, namely by opening the Word attachment. Some mail programs may be configured to automatically open attachments. This would be BAD. * Though this virus is spread primarily via e-mail, an infected Word file may be transported by any other means (floppy, FTP, CD-ROM, Web site, etc.). The virus is just as likely to infect and send itself out via Outlook from a file acquired by means other than e-mail. * It hasn't been specified what danger exists for users of Word 98 for Macintosh, since Macs don't have a Registry consistent with Winows. It may be that Mac users can harbor the virus in infected Word documents. "IT'S AN E-MAIL VIRUS! IT'S A WORM!" NO ... IT'S A SPAM 'BOT. "Security experts" are debating whether "Melissa" is a new, horribly fiendish macro virus, or a very clever network worm. (Antivirus developers always have a stable full of "experts" whom they wind up like so many Chatty Cathy's for an appreciative audience of reporters.) Again, see my previous column, "Remote Explorer of My Eye" for a discussion of Internet worms. Apparently even the macro's author was conscious of this issue; the macro contains these gleeful comments in its VBA code: 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! By Sunday, I was engaging in a playful argument with two gentlemen far more qualified than I to analyze virus alerts, Rob Rosenberger (webmaster of the COMPUTER VIRUS MYTHS home page) and George Smith (editor of THE CRYPT NEWSLETTER, and author of THE VIRUS CREATION LABS). Between us, we've discussed whether this is possibly the work of a spammer promoting a series of adult Web sites ... or a if the URLs are simply "sucker bait," inserted to entice users to open the document, and perhaps manually redistribute it to friends. This last point gave me an idea. Like a worm, this virus has had such success at some sites, that mail servers have been experiencing very real "denial of service" crises. Unlike a worm, the virus doesn't communicate with other "segments" on connected computers or servers. Nor is this another "e-mail virus" that "Good Times-style" hoaxes purport to warn us about -- with a very few exceptions, you still can't get a virus just by reading a message. "Melissa" does not represent a major breakthrough in virus authoring. But IT DOES represent a marvelous evolution in the realm of chain e-mail and "Forwardables." As I discuss in my "e-v-mail" page, "Forwardables" are messages that rely on the USER'S faulty sense of skepticism, and inclination to send the e-mail to as many people as possible. But until now, manual intervention has always been required, in the form of a user falling victim to the embedded "thought virus" and clicking a FORWARD button. This is clearly not the case with "Melissa." Once the Word file has been opened, the chain e-mail, or spam, is sent from the user's computer without any manual intervention. ... "Melissa" may well be the first heuristic, autonomic, self-regenerating SPAM 'BOT. "OPEN THE POD BAY DOORS, PLEASE, HAL." In more ways than one, "Melissa" reminds me of the HAL-9000 super-computer in Stanley Kubrick's masterpiece, 2001: A SPACE ODYSSEY. HAL, as you may recall, was caught in a deception by the Discovery's mission commander, Dave Bowman, during an informal chat. Reacting quickly, HAL fabricated a false warning about a component of the ship's communications system failing within 72 hours ... unless the ship's crew conducted an EVA to retrieve and replace the AE-35 unit. When they did so, and found nothing wrong with it, they considered HAL at fault. During a subsequent repair attempt, HAL murdered Frank Poole (the ship's second in command), shut down the life support systems of three hibernating survey team members, and trapped Bowman outside the ship. All while professing unrepentent devotion to the true mission of the Discovery, which HAL had been ordered to keep secret from the crew. Like Dr. Heywood Floyd's fountain pen floating inside the Space Clipper cabin, and the nuclear satellites orbiting the earth outside, HAL was a symbolic heir to the lethal bone that Moonwatcher hurled to the heavens after killing a rival man-ape. Like that bone (and the pen, and the bombs), HAL was an artifact which carried out man's desires to acquire and protect resources, information. Like HAL, "Melissa" seeks out secret information and protected resources, and then carries out its own ironic agenda. Unsolicited commercial e-mail, or e-j-mail (as I called it almost three years ago) is a deception that plays on irony. I receive e-j-mail daily, almost hourly, and I have yet to receive a message which is entirely candid about its origin and purpose. Generally, e-j-mail arrives missives like "This is in response to your inquiry," or "You are on this list because you expressed interest...." Rarely are the mail headers in e-j-mail accurate. I'm sure that "Melissa's" LIST.DOC is no different from dozens of other underwhelming adult spams that I receive regularly. "Melissa" goes further than most e-j-mail, by removing any human intervention in its mission to deliver its payload to as many users as possible. It also spoofs the identity of the person who's been infected. As a "spam 'bot," it is almost ideally suited to its purpose -- if its true purpose is to only promote the sites listed in LIST.DOC,... which is doubtful. George Smith cautioned me that the porn URLs may only be "sucker bait" to entice users to open the document. This is an old trick, a device to deliver the virus. In such cases, the propagation of the virus is the ultimate goal. I concur. "Melissa" may be a "dry run" before a truly malicious version is unleashed. (Already, a copy-cat version called "Papa" has been reported.) Like HAL-9000 in the film, "Melissa" is a tool created by man, now self-reliant and proceeding on its own. Like HAL, it carries out its mission without supervision, with selfless abandon, completely independent of its creator. The author's intentions are, at the moment, a complete mystery. Like HAL, "Melissa" cannot be reasoned with. Only "disconnected." PROTECTING YOURSELF: -- FROM "MELISSA" -- FROM ANTIVIRAL HYSteria Taking the podium and making an arrogant prediction,... I have no doubt that various "Melissa" warnings will mutate into reconstituted versions of "Good Times." No doubt. Mind you, it's not a matter of "who," or a matter of "how." Only a matter of "when." Last Friday, I received a warning about the "Happy99" file attachment ... a warning which fudged the details, and warned against opening the e-mail itself. I believe that the same will happen to "Melissa" before the week is out. By this morning, for example, CNN correspondents had been confusing technical details of "Melissa's" M.O. and warning readers who find the telltale e-mail, "don't open it." In the meantime, here are my first, best suggestions for anyone who is wary of "Melissa." Like all preventative cures, these steps require effort. They're worth it, trust me. 1. If you receive an e-mail message like that described above, DON'T open the attachment. (Well, duh.) 2. Don't open Word attachments and enable macros. Enable "Macro Virus Protection" (see below) and click DISABLE MACROS when you open Word attachments. 3. As always, treat all suspicious file attachments with caution. When in doubt, delete it, and ask the sender what it was. 4. Please resist the impulse to send out your own warning about this. The news is being spread just fine, thank you. Share the link to this page instead. (Don't worry about me, I can handle the bandwidth.) 5. Several antivirus vendors have already posted vaccines and recipes for protecting yourself from "Melissa." Please review their sites. Again, share the links. McAfee, Network Associates Symantec Trend Micro 6. If you're concerned about Word Template Macro viruses, download and install Microsoft's security patch on all your systems: Review Microsoft's WD97SP.EXE page. Install the Office 97 Service Release 2 (SR-2), if you haven't. Install the security patch. In Word, ensure that the Tools | Options | General | Macro virus protection setting is CHECKED. When you open a suspicious document, you'll be prompted about macros; click the DISABLE MACROS button. 7. Follow the CIAC's recipe for protecting Word's main template, NORMAL.DOT, from insidious macros: To password protect the Normal.dot file in Word 97, perform these steps: A. Start Word. B. Choose the Tools, Macro, Visual Basic Editor command. C. In the Project window of the Visual Basic Editor, click on Normal. D. Choose the Tools, Normal Properties command, Protection tab. E. Check the Lock Project for Viewing check box and type in a password twice. F. Close the dialog box, close the Visual Basic editor. G. Quit Word. The next time you start Word, the normal.dot template will be protected. WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it. 8. If you've made it this far, still paranoid, try my very cool method to protect yourself from unleashing Word macro viruses from Outlook e-mail messages. That's right, folks, open Word documents, in Outlook, with total confidence! Read on.... Remap the default action for Word documents to Word 97 Viewer (tested in Windows NT): A. Download Microsoft's Word 97 viewer for Windows 95, 98 and NT. This freeware utility displays and prints Word documents WITHOUT running any macros. B. Install the Word 97 Viewer. If you already have Word 97 installed, Setup will warn you that making the viewer the DEFAULT application for Word files will interfere with your ability to use Word as your e-mail editor (WordMail). Select the option to open Word files in Word by default. Complete the Word Viewer installation. C. In Explorer, open the Options | File Types tab. D. Locate the "Microsoft Word Document" registered file type. E. Here's where you'll need to exercise due care. Click the EDIT button. F. You will probably see the "Open" command in bold, indicating that it is the default action. Identify the "WordView" command. Highlight that command, and click the SET DEFAULT button. Click OKAY as necessary to complete your changes. G. Now, when you right-click on a Word file, "Open" is not the default action. Opening the file in the Word 97 Viewer is. Select Open manually to edit Word files. H. In Outlook 98, double-clicking (or opening) a Word file in an e-mail message will launch the file in the Word 97 viewer, not Word. 9. In most normal contexts (say, double-clicking a Word file in Explorer), you can hold down the SHIFT key to stop any macros from running.This also works when you're creating a new document from a template. Just keep holding the SHIFT key down until the document displays. For some modicum of protection opening files with Word, you can modify the "Open" command to prevent running the usual "auto macros." Since some Word macro viruses (mind you, not all of them) will run themselves within one of the automatic macros (AutoExec, AutoNew, AutoOpen, AutoClose, AutoExit), you can open documents and avoid any functions that are associated with the macros. Again, a certain level of Windows expertise and caution is required to implement this hack. A. Follow the steps above for remapping Word files to the Word 97 Viewer, up to Step 8.E. B. Identify the "Open" command in bold, and click the EDIT button. C. You should see the following text: "C:\Program Files\Microsoft Office\Office\winword.exe" /n D. Add the switch /m to this line so that it reads "C:\Program Files\Microsoft Office\Office\winword.exe" /n /m For more information on preventing automatic macros from running, ask the annoyware Word Assistant "Control what happens when you start Microsoft Word?", or seach in the Visual Basic help for the topic "Auto Macros." In closing, I'd like to ask you once more NOT to take it upon yourself to warn all your friends about "Melissa." If someone you know WARNS YOU, send them a link to one of the antivirus sites, above, or the link to this page. Also, read my "e-v-mail" page, and consider sending Aaron Lynch's CC: Contagion Correction e-mail as a reply. UPDATE: MARCH 31, 1999 ON THE TRAIL OF A CULPRIT As predicted, the news media are running away with themselves. George Smith (The Crypt Newsletter) found the New York Times asserting that, though there was no evidence, there was THE POSSIBILITY that "Melissa" might launch its attacks from mail clients other than Outlook. That's about as reasonable as asserting, "I have no evidence that there is a Santa Claus, but I suspect that he's probably living right up there on the North Pole." Uh-huh. CNET reported on Monday that Network Associates (NAI) had tracked the original posting of LIST.DOC to the alt.sex newsgroup from an AOL address: Melissa virus launch identified By Stephen Shankland Staff Writer, CNET News.com March 29, 1999, 6:35 p.m. PT A poster called "Sky Roket" launched the Melissa virus into the wilds via the newsgroup alt.sex early Friday morning, antivirus company Network Associates said today. In addition, a copycat of Melissa called "Papa" was first posted in the alt.bondage newsgroup, said Sal Viveros, group marketing manager at Network Associates. After Network Associates heard about Melissa from a customer, its newsgroup-sniffing software was able to track down the point at which the virus first emerged, Viveros said. The company knows it was the first insertion into the world because the original file, "list.doc," had a creation date just a bit younger than the time it was inserted. ... Sky Roket apparently has posted as far back as 1997 to other sex-related newsgroups with virus-infected files named things like "complete list of adult sites" and "complete list of cracked Web sites." True to form, the Network Associates spokesman contended that this virus writer "was very clever." Well, of course. No antivirus developer or information security consultant wants to openly ADMIT that the Internet is being severely threatened by some boob with a second-hand copy of VBA for Dummies, right?? I agree with NAI, on this one. The writer was certainly clever enough ... to change the computer's time to falsify the "creation date" to a predetermined time just before the file was "inserted" Friday morning. By Tuesday morning, WIRED NEWS had identified that the boob, er, very clever writer, was an AOL user in Washington. (Perhaps it was a mistake when Trend Micro pinpointed the "launch point" in Western Europe?) Melissa, Spawned by Spam by Leander Kahney and Polly Sprenger 3:00 a.m. 30.Mar.99.PST The admitted owner of the AOL Sky Roket account is Scott Steinmetz, a civil engineer from Lynwood, Washington, who dabbles in pyrotechnic displays. Steinmetz said he's not a programmer, and doesn't use the account for anything except Internet access for his family. ... Sunil Paul, CEO of Bright Light Technologies, an anti-spam service based in San Francisco, said it was the first virus he had encountered that spams its victims. "I doubt it's a new form of spam," Paul said. "But I think someone in the future might use something like this to spread product info. They could call it viral marketing." Poor Scott. In a CNET article later Tuesday, he expressed bewilderment at how his account was openly fingered as the source ... apparently without anyone even checking with him. "'I am a little jarred about the lack of security that AOL has in place, and am now going to close my AOL account,' Scott Steinmetz said in an email. ... 'I am not the creator of the virus, nor did I have any part in the distribution of the virus,' Steinmetz said." For their part, AOL was able to comment on his account,... before refusing to comment. "'We are aggressively looking into it,' said AOL spokeswoman Wendy Goldberg. 'There are a number of variables that need to be further investigated before we can make a determination about whether it was an unwitting propagation.'" If Goldberg's name sounds familar, in reference to a disclosure of a private account, it's no coincidence. Wendy was the regular spokesperson in the debacle in January, 1998, when the online service had allegedly disclosed the identity of SCPO Timothy McVeigh to a Navy investigator, in violation of AOL's own privacy policies. AOL came out smelling bad on that one. As reported by Janet Kornblum, "To complicate matters, last night AOL canceled McVeigh's account, accusing him of writing chain letters, said his mother, Teri McVeigh." The supposed chain letters appeared to be his e-mail writing campaign to gain support for being tarred and feathered by the Navy based on information acquired illegally from AOL. Cancel his account? It's the worst thing they could do. (Ahem. Last year, SCPO Tim McVeigh. This year, Scott Steinmetz. Does anyone at AOL remember Richard Jewell?) Q: ARE WE NOT MACRO? The news the past couple of days has been unsettling, not least for its lack of skepticism. In ALL the reports that I've been reading, I don't see any really hard questions being asked. I THOUGHT that the FBI was on the case (assisted by Richard Smith, of Phar Lap Software, who may fancy himself a Special Agent At Large, sort of like Elvis), but I suppose NAI is far more qualified to practice law enforcement. How they presumed to be responsible for fingering Mr. Steinmetz in public, I just can't imagine. In the military sector, "the beach is secured" -- the U.S. Marines Corps saved their servers through a heroic server shutdown maneuver ("Semper Vi'?"). Finally (at least for today), Trend Micro took a swan dive off the shallow end with the assertion that this is not just a very clever virus (the virus, that is, not the writer),... it's mutating. M-u-t-a-t-i-n-g. As in Darwin. As in "natural selection," and The Origin of Species. Read this: 'Melissa' mutates, becomes resistant to patch March 30, 1999 11:32 a.m. EST by Kathleen Ohlson and Ann Harrison (IDG) -- As corporate customers scramble to protect themselves from the "Melissa" virus, it has begun to mutate and defeat a widely used patch, one industry watcher said. In its early going, the virus could be known by its distinctive subject header, which read "Important Message From ..." But now a variant of the virus leaves the subject line blank, according to Dan Schrader, director of product marketing at Trend Micro Inc., a Cupertino, Calif., developer of virus protection tools. Schrader said the patch, issued by www.sendmail.com, "very quickly becomes invalid for companies depending on that filtering technology." The variant, called W97M_MELISSA.A, keeps the sendmail patch from detecting, blocking or removing the mutated virus. Schrader said he expects to see more new versions of the Melissa virus appear to corrupt mail files in any environment. He suggested that companies contact their antivirus vendors to make sure their tools can scan for the Melissa variant. It bears noting that "the patch" that Sendmail.com provides does little more than filter on the SAME SUBJECT LINE that was initially reported last Friday. Easy setup, easy obsolescence. Rough translation: Eric and his Sendmail gang provide a patch with a guaranteed effective lifetime of maybe 2 hours [virus hackers would immediately change the e-mail characteristics to fly under the radar of the patch in no time]. Virus writers see this, and change the e-mail, not to "keep the sendmail patch from detecting," but simply to avoid detection. Later [Monday morning], infected users send out various [infected] documents in new, unique e-mail, which of course are likewise not detected by the sendmail patch. Now, I should think that a golden rule of sensible technical journalism is NEVER, EVER refer to the software as an entity. Programs (viruses) are NOT organisms. HAL-9000 was a fictional construct. The idea of a macro virus "mutating," like the HIV virus, is absurd. (No joke: a news piece early this week compared "Melissa" to AIDS.) A macro virus can no sooner mutate than I can turn myself into a chocolate milkshake. More likely, explained George Smith, is that anonymous twiddlers will play with the macro, or the e-mail containing the contagious Word file. Again, EASY. There's nothing stopping 100 wanna-be's from re-sending "Melissa" in different messages. There's nothing "clever" about it, folks. For myself, I don't doubt that once a user's NORMAL.DOT Word template has been infected, subsequent Word files are infected. The same user can e-mail an infected document, in all new messages, all day long. Here's how easy it is: SUBJ: Wednesday meeting: proposal Ms. Doolittle, here's the consulting spec for your meeting Wednesday. Keep it simple. Stick to business, weather and everyone's health. If you make any last minute changes, e-mail me the revision by COB Friday. Best of luck. <> Pickering Stay tuned, folks. This can only get better. Rob Rosenberger (Computer Virus Myths home page) recommended making popcorn. Me, I'm ordering pizza and cola, and stocking up on extra batteries for my Skepticism Meter. UPDATE: 01 APRIL 1999 Well folks, the unthinkable occurred. I was struck by "Melissa." At around 10:30 AM PT, as I was returning to my desk at our Northern California software development company, my alphamnemonic pager went off. Beeeeep! "Dick," an account executive in our Chicago office, had sent an "Important message." "Here is that document you asked for ... dont' show anyone else. ;-)." I thought it was a joke. (It IS April Fool's day.) I took two steps. Beeeeep! I pulled my pager out of its holster -- Beeeeep! Beeeeep! I had 2, then 3, more messages. Sure enough, it was a classic "Melissa" spam, which had gone out to the first fifty addresses in each of Dick's contact lists, mostly company-wide distribution lists like "!WW CEO Staff." Somehow his huge distribution list of distribution lists included "Pager David Spalding." Seconds later, our Marketing VP sent a copy, to the same global lists. Then a QA specialist in Development. ... By the time I'd walked 100' to my desktop system, I had 6-7 messages crammed into my pager. If you understand how "Melissa" works, then you can imagine that within a minute of Dick innocently opening an infected Word document, his system had spammed most of the company, half a dozen people had opened the message, and opened his Word file expecting it to be urgent news. As I had performed all the preventative measures that I recommended on March 29, I opened the document with impunity and found that it wasn't urgent, but it sure was important. It was the infected document that a customer had mailed to Dick, an in-depth contract proposal. I predicted that "Melissa" would change form a little bit, and this particular cycle of spam proved it. Dick's spam DIDN'T contain a document called LIST.DOC, nor any URLs to porn sites. The infected "carrier" which delivered the macro virus was a customer's document. You can imagine the embarrassment. If other companies are like our little firm, there are a lot of embarrassed business people around. Our IT department sent messages to EVERYONE early Monday, specifying how to upgrade both Word (with the Word 97 Template Macro security patch), and our standard antivirus software. (In this week alone, my AV software has quite admirably caught, captured, and eliminated both the Happy99.EXE Trojan (infected with the W32/Ska virus), and documents carrying "W97m/Melissa.") Dick and others identified themselves as those who HADN'T taken the pill, and DIDN'T heed the warnings against suspect Word documents. In a way, "Melissa" serves the purpose of tagging those who are not keeping up to date on safe computing issues that are making headlines. Not exactly a "career-enhancing reputation" to earn. I can envision a corporate downsizer asking, "Where's that list from the 'Melissa' crisis in March?" I e-mailed Dick directly to jab a pesky finger in his chest, and suggest ways in which he could GENTLY advise his "contact" of his calamity. When he called me, he was aghast, and amused. Turns out, a client with one of Dick's biggest accounts had called him up during lunch. Client: "Did you get my e-mail?" Dick: Uh.... "Have you reviewed the proposal?" Well, um.... "While I'm on the phone, would you open it please? I want to ask you something." Okay. "Now go to the part --" Holy shinola! "What?" What the f--?! You've given me that macro virus! "Oh. I did? I got that yesterday, I thought I cleaned my system...." Meanwhile, back in Novato, David Spalding is walking past the office kitchen when his pager goes off.... Beeeeep! "NOT BLOODY LIKELY,...." Returning again to our hypothetical pal Eliza, if she had opened the message that Pickering sent her earlier, she would almost instantly send out the following: SUBJ: Important Message From e.doolittle Here is that document you asked for ... don't show anyone else ;-)<> And there you have it. "Melissa" is reborn in a new document which has nothing to do with adult web sites. Arguments that Melissa could be used as "viral marketing" tend to dissipate unless the marketing information were inserted directly in the e-mail message (and some enticement ensured that the Word file will be opened). Is the week out yet? Has someone reported that "Melissa" is an "e-mail virus" yet? UPDATE: 02 APRIL 1999 Saved by the bell. On Monday, I predicted that someone, somewhere, would confuse "Melissa" (a Word macro virus that is spread chiefly via e-mail) with "Good Times" (a hoax that purported that an e-mail message contained a virus). As someone told George Smith (The Crypt Newsletter), the story about the virus IS the virus. It's true about "Good Times," and it's true about "Melissa." When I found myself with a dozen copies of "Melissa"-infected files, I couldn't help but take precautions, and then OPEN IT (in Word Viewer). I know, I've been discouraging everybody and his kid sister from doing that, but I succumbed to "infectious curiosity," and took a peek. As I said, I was struck by "Melissa." Researching today's news, I found the following paragraphs from Reuters that would seem to parrot the modus operandi of "Good Times." (Emphasis has been added.) Melissa tracked to user name 'Sky Roket' March 31, 1999 Web posted at: 7:40 p.m. EST (0040 GMT) SAN FRANCISCO (Reuters) ... The virus used a high-powered automation technology built into most personal computers. Often disguised as a message from a friend or colleague, Melissa took the form of a simple e-mail sent to unsuspecting users, saying "Important message from...." But when users open the message, it caused a flood of new e-mails to be sent over the Internet from the reader's own online address book. Using the powerful "macro" automation software built into millions of computers using Microsoft's Windows operating system, the macro automatically triggered up to 50 new e-mails. I'm not sure that I want to touch the vague inaccuracy of the second paragraph, but I include it here to indicate how far afield Reuters has gone. "Melissa" uses the VBA macro language built into Microsoft Office, not Microsoft Windows, to launch an attack from Word and Outlook. "Millions of computers using Windows" don't necessarily have Office installed. Anyway, I don't think there's any mistaking the fudge factor in the first paragraph. As we've learned together, class, the virus is contained in a Word file, and can only be unleashed by opening that file. And we have also learned that the virus uses Outlook (only) to send messages, not any "online address book." (Federal Computer Week (IDG) also promoted this ambiguity.) Many careless writers and editors have omitted this detail. I all but guarantee that someone has misinterpreted this as a result. Do you think that Reuters has confused "Melissa" with the old "Good Times" hoax? You tell me. "AND NOW, HERE TO DO A LITTLE DANCE FOR YOU...." In other news, the New Jersey authorities, and the FBI, oh and AOL, too, think they've caught their man. As reported by CNN, MSNBC, Wired News and others, David L. Smith was apprehended and charged with interfering with and conspiring to interfere with public communications, theft of computer services, wrongful access to computer systems, and being an all-around Bad User of the Internet. He stands to spend 40 years in prison, and pay up to $480,000 in fines. Can you say "Computer Fraud and Abuse Act of 1988?" (Please refer to O'Reilly's COMPUTER SECURITY BASICS, also known as "O'Reilly's Yellow Book.") Reportedly, the information that helped track him down was provided by a lawyer for AOL. That's not news, since it was determined earlier this week that the initial posting to an alt.sex newsgroup came from an appropriated AOL account; AOL was able to provide data that help Federal and state investigators nail the activity down to Smith's phone line. He used his own phone line? This is a "very clever virus writer," but he used his own car for the getaway?? [Source: Sal Viveros, Network Associates] Let's review this week's big scoops from software vendors, though. Trend Micro reported that the post initially came from Western Europe. Apparently not. Richard Smith of Phar Lap Software (no relation, I presume), who has previously answered the call as a volunteer hunter of virus writers, asserted that the Globally Unique Identifier (GUID) imbedded in the Word file pointed to virus writer VicodinES as the culprit. Apparently not. As reported in MSN, "Christopher Bubb, deputy attorney general, said investigators did not use GUIDs the unique identifiers embedded in every Word document, to track down Smith." [Later news reports confirmed that authorities were able to compare the GUID from "Melissa" with Smith's recovered computer, with positive results.] (Coincidentally, Smith made news less than a month ago when he discovered an intriguing security vulnerability in Office documents, Global User IDs based on each computer's unique network adapter (NIC) address. The NIC addresses were found documented in the Windows Registry, Office documents (the GUID), and may have been collected by Microsoft during online product registration. The media attention led to Microsoft offering several patches and utilities, including the "Office 97 Unique Identifier Removal Tool.") In all, as usual, no surprise, many of the claims and contentions made by the antivirus software vendors have become clear hyperbole and salesmanship. Again. Did any of it work? I'll give you three guesses, and the first two DON'T COUNT. By the by, the "Melissa" virus was apparently named after a topless dancer that Smith knew in Florida. Think she's flattered? UPDATE: 05 APRIL 1999 George Smith (The Crypt Newsletter) has been issuing some high-value reality checks on the continuing soap opera that surrounded last week's virus outbreak. In an insightful article on his site about the hunt for "Melissa's" author, he delves ever deeper into Richard Smith's (no relation) claims that the unique GUID found in the original Word file provided damning evidence of "Melissa's" parentage. Since Smith announced to the world that Office applications were inserting GUIDs into Office documents, Microsoft released two patches, one for preventing this from happening to new documents, and another for removing the GUID from existing files. A complete discussion of the issue is on Microsoft's web site, signed by Yusuf Mehdi, Director of Windows Marketing. I have to ask the obvious question. Since these patches are widely and publicly available, just how hard is it for a "very clever virus writer," like VicodinES, or David Smith (according to authorities), to remove the GUID at will? Or, knowing HOW the GUID is created (derived from a Registry entry), FAKE ONE? I side with The Crypt that cute little privacy hacks are no substitute for good, old-fashioned police legwork. In other news (watching), Rob Rosenberger (Computer Virus Myths home page) found a ZDNET audio broadcast interview with a ZDNN reporter, apparently the best authority on Smith's arrest that could be found on short notice. The interview contained this quaint little quote: Rob Lemos, ZDNN: Melissa Arrest ZDTV "... He's a thirty year old man, which is kind of interesting, because usually virus writers are high school age, uh, for no other reason because, um, in a lot of ways they can't be prosecuted 'til they're over 18. But once you get over that, you think, '"Hey, I better think about being responsible about this.'" Presuming that Mr. Lemos knows what he's talking about, I guess this confirms that if you're a "very clever virus writer," then the first thing you do after you download VicodinES' kit, is become a teenager. Update: August 1, 2001 It's been two years since David Smith was apprehended and convicted of writing and distributing the W97/Melissa virus. How's he doing? Well, not bad actually. He still has not been sentenced. As the first virus writer who was caught and convicted of laying waste to the Internet as a prank (a gross exaggeration for comedic effect, I hope you see), you'd think the Federal government would make an example of him. Nope. He's still walking around. Justice Mysteriously delayed for 'Melissa' Author The Register; August 01, 2001 Nearly twenty months after entering guilty pleas in state and federal court, David Smith, the confessed author of the infamous 'Melissa' Outlook worm, remains free on bail with no sentencing date in sight, while the prosecutors who once ballyhooed Smith's arrest as a model of swift and certain information age justice have fallen mysteriously silent. When Melissa struck on 26 March 1999, it introduced a generation of Netizens to the concept of a computer virus. The worm targeted Microsoft Word users, and spread by sending an infected e-mail to the first 50 addresses in each victim's Microsoft Outlook address book. Though non-destructive by design, the virus propagated so quickly that it jammed corporate and government networks, forcing some large companies to sever their connections to the Internet temporarily. By some estimates, the virus caused millions of dollars in losses. Within a week of the outbreak, New Jersey police and FBI agents tracked the virus through a hijacked AOL account to Smith, then 30. On 9 December of that that year the programmer pleaded guilty to computer crimes in state and federal court, and stipulated in a detailed plea agreement to having caused over $80,000,000 in damage. The losses, coupled with other stipulations in the plea agreement, carry a prison term of 46 to 57 months. ... There, the flurry of activity stopped. Smith's 18 February 2000 sentencing date was postponed; then, as the new date neared, it was postponed again. In all, Smith's sentencing has slipped five times. If he were to be sentenced today, the elapsed time between his adjudication and sentencing would come in at five times the 125 day federal average. The state case -- subordinate to the federal sentence -- remains in limbo. His sentencing is currently scheduled for September 1, 2001. The Register reported that there appear to be no actions on Smith's attorneys to account for the delay in sentencing. The New Jersey US Attorney's office wouldn't discuss the matter. Smith's lawyer wouldn't return phone calls. Smith himself declined comment. The Register proposed two possibilities for this seeming lack of justice, swift and fair. One, the actual amount of damage created by Smith cannot be determined. Rob Rosenberger of Vmyths.com regularly takes the antivirus software industry, and the media, to task for publishing grossly inflated "damages" figures apparently conjured up out of thin air, or stale office coffee. Although Smith admitted responsibility to over $80 MILLION in damages, he's not bound to that, and authorities have not been able to prescribe sufficient metrics to determine how much (or how little) damage he really did in order to proceed with sentencing. The Register's second proposed explanation is that Smith is cooperating with the authorities on other investigations (subsequent virus epidemics?). Such collaboration would be in confidence, and the sealed nature of court documents indicates that he's working with prosecutors. Smith has no known association with criminals, so it's possible that he's working with the NIPC on other virus problems. I wasn't impressed with Smith's ingenuity (he was caught pretty darn quick, wasn't he?), so I wonder just what good he's doing. As The Register points out, Smith is the only Web-era virus writer to have been prosecuted. The fact that he's still at large, waiting for sentencing, is a joke. David Spalding (Suzy Seraphine-Kimel tipped me to this initially; thank you, ma'am.) Related Links --> http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html http://www.ciac.org/ciac/bulletins/j-037.shtml http://officeupdate.microsoft.com/nonIE4/DownloadDetails/wd97spnonie4.htm http://officeupdate.microsoft.com/Articles/MacroAlert.htm http://www.microsoft.com/security/bulletins/ms99-002.asp http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm http://officeupdate.microsoft.com/downloadDetails/wd97vwr32.htm http://www.wopr.com/ http://www.kumite.com/myths http://sun.soci.niu.edu/~crypt http://www.korova.com/virus/ ("e-v-mail") http://www.korova.com/kmr96/kmr6001.htm ("e-j-mail") The HOAX DU JOUR is a regular feature of Korova Multimedia. Tune in to http://www.korova.com/virus/hoax.htm. D.B. Spalding is an infopreneur and consultant based in Marin County, CA. Many of his articles can be found on the World Wide Web at http://www.korova.com. (C) Copyright 1999 D.B. Spalding. All rights reserved.