Revamped Melissa requires antivirus update

Remember Melissa? It's been almost two years since that infamous worm swept through the world's e-mail servers, spreading faster than any virus ever had before. Now a new variant of Melissa threatens to get past the defenses designed to protect us from the original.

Reports of the new strain, Melissa.W, started appearing midweek, mainly in Europe. By Thursday afternoon the Symantec Corp. Antivirus Research Center had upgraded the variant's severity rating to Category 4 (Severe).

Not surprisingly, the major antivirus companies are rushing to get out their solutions. Most of the first fixes will likely be definitions specific to Melissa.W. Some products can identify the new strain of the virus without yet repairing it.

The definition will also be part of McAfee.com Corp.'s next weekly update, due to become available on January 24. Symantec expects to have a fix available on Friday.

Subject Lines to Watch For

In most ways, the new Melissa acts pretty much like the old one. The macro-based worm comes alive when you open an infected Word file, spreading to other documents and mailing itself as an attachment to the first 50 listings in your Microsoft Outlook address book. If one of the recipients opens the attachment, the cycle starts all over again.

How do you defend yourself against the new Melissa?

"The best defense is education," says Kevin Haley, group product manager for Norton AntiVirus. If you can recognize the virus, you can catch it.

If you receive an e-mail message with a subject line that begins with "Important message from," be afraid.

If the body of the e-mail message itself (and yes, you can safely open the message) tells you that "Here is that document you asked for ... don't show anyone else ;-)," be very afraid.

In fact, if you get such a message, delete it and notify the poor slob who accidentally sent it to you. And whatever you do, don't open the attached file.

Not everyone who gets the virus will spread it. If you don't open the document, you'll never get infected. And if you're not using Outlook, you won't mass-mail the virus to others, although you can still spread it by sharing Word files.

On the other hand, a lot of people use Outlook, especially in offices (Melissa can't mass-mail through the similarly-named Outlook Express program). If enough people open their attachments within a company that is standardized on Outlook, the mass of extra e-mail can overload the server.

Meeting the Mac

Melissa.W has actually been around almost as long as the original. Like all variants of Melissa, the virus is a Microsoft Word macro that spreads itself far and wide by e-mailing infected files through Microsoft Outlook. And also like all Melissa variants, antivirus programs were catching and neutralizing it with ease.

That is, until it met Microsoft Word 2001 for the Macintosh.

The version of Melissa.W currently making the rounds is a Word 2001 file, something the antivirus programs aren't ready to handle.

"The [antivirus software] engine has to understand the file format to detect a virus," says Vincent Gullotto, director of Network Associates' McAfee Antivirus Emergency Response Team.

So what transformed the virus?

"We don't know," admits Symantec's Haley.

Someone saved an infected file on a Mac-converting the file format and changing the nature of the virus-and then e-mailed it to a PC user.

"It could have been malicious, or it may have simply been someone sending a file," he says.

» posted by ITworld staff

Network World

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine