Anti-virus round-up (January-June 1999)

July 21, 1999 Sophos Press Release

The most significant development in the first six months of 1999 has been the emergence of mass-emailing viruses. WM97/Melissa the macro virus (supposedly named after a stripper the alleged author used to admire), and ExploreZip the executable worm both exploited email systems to forward themselves automatically to other users.

Both WM97/Melissa and ExploreZip were deliberately coded to auto-propagate themselves using Microsoft Outlook (the default email system on most computers).

In the past new viruses often took months before ever being seen in the wild. These new mass-emailing viruses don't rely on users to distribute them accidentally to their friends and colleagues. They employ the email system directly. WM97/Melissa proved it was possible for a virus to become widespread, around the globe, within a single day.

David L Smith has been arrested by the FBI in relation to the WM97/Melissa virus outbreak and is awaiting trial.

Other developments in the last six months include:

  • Innocent computer users were caught in the crossfire between lovers of rival computer languages: the author of ExploreZip (written in Pascal) made clear his scorn of C programmers by reducing all their source code files to zero length.

  • The first Corel Script virus was released, displaying an Elvish song from J R R Tolkien's "Lord of the Rings".

  • Asia Pacific was hit hard in April by W95/CIH-10xx, the first PC-paralysing virus which flashed computer BIOSes. Fortunately, Western companies had listened to anti-virus vendor warnings and had largely put protection in place.

  • The Cult of the Dead Cow hacking group ended up with egg on their face after CDs they distributed at the Defcon conference turned out to be infected with the W95/CIH-10xx virus. Despite the hype caused by Back Orifice 2000 it is not viewed as a serious threat.

  • Executable file viruses are back (for example W95/CIH-10xx, W95/Marburg and W32/Ska-Happy99).

  • Boot sector viruses are still causing problems, and appear just outside the Top 10 of all viruses reported.

Sophos continue to recommend that companies keep their anti-virus software up-to-date and employ "safe computing" policies such as not opening unsolicited documents and executables. The rule of 'ignore email from strangers' is not enough. Viruses are often spread unintentionally via your friends and colleagues.

January - June 1999 top ten viruses

Position Malware Percentage of reports
1XM/Laroux
   26%
2=WM97/Ethan
   9%
2=W95/CIH-10xx
   9%
4=WM97/Footer
   8%
4=WM97/Class
   8%
6W32/Ska-Happy99
   7%
7WM97/Melissa
   5%
8WM97/Marker-A
   4%
9W95/Marburg
   2%
10W32/ExploreZip
   1%
Others21%