Virus Case Study

Background

In March 1999, a computer programmer called David Smith created the "Melissa" virus, which was designed to evade anti-virus software and infect computers that used Microsoft Word. A few days later he posted a message on a sex related Internet newsgroup with an attachment infected with the virus, suggesting that the attachment contained a list of codes for accessing named pornographic websites. His intention was for people to download and open the infected document, and subsequently infect any computer using Word with the Melissa virus. The virus changed various security elements of Word, making infected machines more vulnerable to further attack. The virus also made sure that any document written subsequently was also infected. After this, the virus caused affected machines to send e-mail messages containing the virus to the first fifty persons named in the machine's Outlook address book. Any person who opened the attachment would activate the virus, and so it spread. The virus infected word processing programmes in over one million computers in the US, and caused over $80,000,000 in damage globally.

The Organisation

A small (but global) financial services company which has headquarters in London and regional offices in Tokyo, Hong Kong and New York. It provides specialist financial services advice, with a small outsourced IT support department.

What Happened

The company contracted the Melissa virus via its Hong Kong Office. The virus spread unchecked throughout systems, and spread to contacts and clients. The outsourced IT company was first told of the infection by a client, who traced his own outbreak back to source. The outsourced company did not have a contingency plan in the event of a virus outbreak, but thought it best to warn all users via e-mail. No matter how sophisticated or crude a virus is, in most circumstances it can only be activated by someone or some process running the file. This activation normally involves the opening of a file attached to an e-mail. The creators and launchers of Melissa used a couple of simple techniques to make users open infected files. The most basic was to ensure it came from (or appeared to come from) genuine users. The second was to ensure the e-mail subject stressed the urgency of the message.

Lessons

• Make sure people are wary of strange e-mails, especially if they do not recognise the sender, or if the message is unusual.
• Never rely on e-mail to alert users to a virus infection that is carried by e-mail. If you can, use the telephone, or have written warnings placed at entrances to workplaces or even on potentially infected machines. Users are more likely to open the virus e-mail before the warning.
• Install anti-virus software and keep it up to date. Remember that this will not only protect you and your company but may also protect your clients and other contacts. The company involved in this case study received news of its own infection from the worst possible source, a client that it had infected. See our 'How To' Guide on Virus Protection for more details.
• If you outsource IT services, make sure that you provide defined procedures and requirements to your outsource agent before the contract is signed. Make security (including virus management) part of the contract, and ensure you retain the right to monitor activities. See our 'How To' Guide on Outsourcing for more details.