advertising information
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards





E-mail doesn't have to be opened to release virus

virus graphic

May 13, 1999
Web posted at: 12:13 p.m. EDT (1613 GMT)

by Deborah Radcliff

(IDG) -- "Suppose it's possible to send an e-mail containing a hidden construct," said an information security director. "And when the user opens that e-mail, the construct will run without the user ever knowing anything."

Imagine those constructs can do anything their creator wants them to: Secretly copy and download proprietary information, delete the BIOS or reformat your machine.

It's real. The security director, who asked for anonymity, was talking about Russian New Year with a twist.

Discovered in January, Russian New Year exploits the Microsoft Excel CALL functions used to call other Excel functions such as create, write, close, execute and sum.

So what's the twist? Originally, the only way to contract the virus was to visit a Web page and click an HTML link. Now, Russian New Year can be sent via mass mail programs, with the link embedded or as an attachment. Newer browser programs will automatically execute CALL to fetch the embedded document or prepare to open the attachment -- so the e-mail recipient needn't even open the e-mail to get infected.
  Computerworld's home page
  Computerworld Year 2000 resource center
  Computerworld's online subscription center
 Reviews & in-depth info at's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Computerworld Minute
 * Fusion audio primers

"Russian New Year is a way of attacking you without you knowing you've been attacked. It really does this," said Ira Winkler, president of Severna Park, Md.-based Information Security Advisors Group and author of Corporate Espionage (Prima Publishing, 1997).

The good news: There are no known reports of Russian New Year attacks on enterprises. And that's why most folks just don't want to talk about it -- they're afraid of letting the cat out of the bag. "If Russian New Year wasn't publicized, people might not exploit it. On the other hand, there are a lot of users who are vulnerable," Winkler said.

Now the bad news. The hack is so subtle, it's likely that if they have been hit, security administrators don't know it. Excel spreadsheets, for example, could be easily and secretly copied to a browser, according to an April 17 alert issued by Finjan Software Ltd., an Israel-based maker of mobile code security software (

Sneak attack

Under certain conditions, users wouldn't have to manually open HTML attachments or click on embedded links to let the attack in.

"Russian New Year gives attackers the ability to deliver any payload they want," said Penny Leavy, Finjan's senior vice president of global marketing. "Your antivirus software won't catch this. Your firewall won't catch this."

More bad news: The attack is difficult to prevent. Microsoft Corp. has patches, but only for Excel 97. If your users are running Excel 95, you must first upgrade them to Office 97, then load service releases 1 and 2, then load the patch -- which pretty much kills the CALL function altogether.

"Until vendors configure Web browsers to not allow embedded Excel CALL functions, this problem really can't be fixed unless you cancel your Excel CALL functions," Winkler said. Unfortunately, "some people ... use the CALL function all the time," he added.

Financial services firms, for example, rely on CALL to import data from their enterprise resource planning software databases into spreadsheets, Leavy said.

The simplest fix is education. Remind users not to open HTML attachments or click embedded links in e-mail files unless they explicitly trust the source, Winkler said. But there's another possible diabolical twist, he adds: If New Year is teamed up with the mass-mailing technology behind the recent Melissa virus, the e-mail will appear to come from a trusted source.

Leavy suggests raising browser-security levels and configuring dialog boxes to send alerts when a program or a Web site is set to call other functions.

Because there's no simple way to block Russian New Year, Winkler advises information technology managers to ask, "Is the benefit of using CALL functions worth more than the potential risk of using them?"

Radcliff is a freelance writer in the San Francisco area. Her Internet address is

Insurgency on the Internet

White House Web site back online
May 12, 1999
DOD overhauls network to thwart hackers
May 4, 1999
Chernobyl virus wreaks havoc in parts of Asia
April 27, 1999

Disgruntled employees: The newest kind of hacker
NATO reinforces against Net attacks from Serbs
Y2K may mask hacker attacks
Why Melissa virus was good for IT
Cyberterrorism is a serious threat

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Finjan Software: Russian New Year Attack

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.