by Matthew Nelson

From...

(IDG) -- The Melissa virus continues to be the virus that will not die, as two new, much more destructive Melissa variants have been discovered and are spreading across the world via e-mail.

As predicted by security experts when the original Melissa virus outbreak occurred in March of this year, virus writers have co-opted Melissa's code to create similar but different viruses which have been loosed upon networks. The latest variants, Melissa.U and Melissa.V, propagate themselves in a similar fashion to the original Melissa, but now carry a potentially disastrous payload, according to antivirus security vendor Network Associates.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Melissa tests DOD procedures
Melissa case could be headed to grand jury
Melissa forces look at Microsoft's approach to security
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

Both variants are socially engineered as to appear to have been sent from a friend, and include the subject line "pictures" in the case of Melissa.U, and "My Pictures" in the case of Melissa.V. In both cases, the sender's registered Microsoft Word 97 or Word 2000 username, if available, will follow in the subject line. The body of the e-mail message will read, "what's up?" in the case of Melissa.U, and will be blank in the case of Melissa.V.

If activated, Melissa.U will invoke a Messaging API (MAPI) e-mail client and send itself to the first four e-mail addresses in the Address Book, which often include distribution lists. It will then attempt to delete the following system files: c:\command.com, c:\io.sys, d:\command.com, d:\io.sys, c:\Ntdetect.com, c:\Suhdlog.dat, and d:\Suhdlog.dat, which are necessary when booting up a system.

"These files are needed in order to load your machine," said Jimmy Kuo, director of anti-virus research at Network Associates. "So after the virus runs on your machine, you can no longer boot it up."

Melissa.V also invokes a MAPI client, sending itself to the first 40 addresses in the Address Book. It then attempts to delete files and directories in shared drives, but will not affect the client machine.

"Because it's deleting files from network drives, it doesn't do anything to the client machine," Kuo said. "If the infected machine is linked to another machine's C: drive, it could delete that machines root directory and prevent the other machine from booting up, but won't do anything to that machine itself."

Although the subject line claims the message includes "pictures," the attachment is actually an infected Word document. When the Word document is opened on an uninfected machine, the virus will infect Word's global template, NORMAL.DOT, infecting all future Word documents. On occasion in the case of Melissa.U, infected documents will have the message "Please Check Outlook Inbox Mail" inserted into them; in the case of Melissa.V, a pop-up message box containing the text "Please Check Your Outlook Inbox E-mail!" will appear, according to Network Associates.

Melissa.U is the more prevalent of the two variants. It is believed to have originated in Europe, but is now spreading to the United States and Australia, and "because of it's effect, it's very noticeable," Kuo said.

However, because many users and administrators made extra efforts to protect against Melissa when the original attack occurred, the spread of Melissa.U and Melissa.V has been much less rampant, but security vendors recommend -- as always -- that users update their DAT files to protect against the new variants.

Matthew