advertising information
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards





'Melissa' mutates, becomes resistant to patch

computer virus


   In-Depth Specials: Insurgency on the Internet

   For more computing stories


March 30, 1999
Web posted at: 11:32 a.m. EST (1632 GMT)

by Kathleen Ohlson and Ann Harrison

(IDG) -- As corporate customers scramble to protect themselves from the "Melissa" virus, it has begun to mutate and defeat a widely used patch, one industry watcher said.

The new, quick-spreading virus called Melissa has been wreaking havoc since Friday afternoon, the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh reported.

In its early going, the virus could be known by its distinctive subject header, which read "Important Message From ..."

But now a variant of the virus leaves the subject line blank, according to Dan Schrader, director of product marketing at Trend Micro Inc., a Cupertino, Calif., developer of virus protection tools. Schrader said the patch, issued by, "very quickly becomes invalid for companies depending on that filtering technology."

  Computerworld's home page
  Computerworld Year 2000 resource center
  Computerworld's online subscription center
 Reviews & in-depth info at's personal news page
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
  Computerworld Minute
  Fusion audio primers

The variant, called W97M_MELISSA.A, keeps the sendmail patch from detecting, blocking or removing the mutated virus. Schrader said he expects to see more new versions of the Melissa virus appear to corrupt mail files in any environment. He suggested that companies contact their antivirus vendors to make sure their tools can scan for the Melissa variant.

Melissa has affected hundreds of sites and approximately 100,000 employees so far, said Shawn Hernan, leader of the vulnerability handling team at CERT. Hernan declined to identify the companies affected by Melissa. "We're not sure if this is the entire thing or just the tip of the iceberg," Hernan said.

Schrader noted that within six hours of the posting of the virus, tens of thousands of corporate users were unable to access their mail servers. Others shut down their mail systems to keep clients and partners from being affected.

"Nobody wants the liability of spreading viruses to customers," said Schrader, who noted that Intel Corp. was one company that was forced to shut down its mail services. In fact, just today, employees were instructed on how to validate the removal of Melissa from their systems, said Michael Sullivan, an Intel spokesman.

Schrader said studies have shown that a virus affecting 25 systems costs $8,000 to clean up. He said he couldn't calculate the cost of cleaning up the Melissa virus and its variants.

Schrader said an estimated 20 million Exchange seats and 30 million Lotus Notes mail systems are vulnerable to the virus or its variants. He said the most common distribution vector is via mail from large companies with international branches. Many overseas companies, especially in financial services, reported being affected, he said. The virus is most prevalent in the U.S., partly because Asian companies hit earlier had more time to respond.

Directed at users of Microsoft Word 97 and Word 2000, Melissa arrives innocently enough and can appear as an e-mail attachment sent from a boss, fellow employee or friend. The message's subject header reads "Important Message From," and the body begins "Here is that document you asked for ... don't show anyone else ;-)" with a document of pornographic Web sites named "list.doc," CERT said.

Once the .doc file is opened with either Word 97 or Word 2000, the virus is immediately executed if macros are enabled, Hernan said. It modifies the Word setting by infecting the warning template and the current open file, he said. Melissa sends e-mail messages to the first 50 addresses of a user's Microsoft Outlook address book, potentially "swamping" a company's server, Hernan said.

In addition, if the minute of the hour matches the date (for example, 3:29 p.m. on March 29), Melissa will insert a Bart Simpson quote into the current document: "Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game's over. I'm outta here."

As a result of Melissa, one unidentified company shut down its mail server but is having a hard time getting back online with all of the e-mail, Hernan said. The extent of the damage is unknown, he said. In some cases, the aftereffects of Internet vulnerabilities have continued for two years.

One security watcher saw a long-term effect of the Melissa virus. What is interesting about this virus is that "it is helping to spread itself," said Professor Gene Spafford, director at the Center for Education and Research in Information Assurance and Security at Purdue University in West Lafayette, Ind. If machines don't get cleaned up properly, "it will turn off protection from future viruses." This is "just the beginning," Spafford said.

Comparing Melissa to the Morris worm, Ira Winkler, president of Internet Security Advisers Group, a consultancy in Saverna Park, Md., said the blame for viruses is going to the wrong party. "We live in the type of world that we put the blame on the vendors for not doing a better job" in protecting corporate systems from viruses, he said. The responsibility should go on the individuals who are creating these viruses, Winkler said.

Insurgency on the Internet

Melissa virus

Copycat virus follows quickly on Melissa's heels
March 29, 1999
How to protect yourself against Melissa
March 29, 1999
You've got (unwanted) mail
March 28, 1999

Copycat virus follows quickly on Melissa's heels
How to protect yourself against Melissa
(PC World)
Massive e-mail virus outbreak spreads like wildfire
'Melissa' virus spreading through corporate networks
Just how destructive will 'Melissa' virus be?
(Industry Standard)
The 10 Commandments of E-mail
(PC World)
Virucide! All about virus killers
(PC World)
Top 10 e-mail tools
(PC World)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Melissa sendmail patch
McAfee/Network Associates - Melissa information
Norton AntiVirus Research Center - Melissa information
Trend Micro - Melissa information
Microsoft's advisories - Melissa

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.