Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Intel Corporation (INTC) -- Ignore unavailable to you. Want to Upgrade?

To: Amy J who wrote (77368)	3/28/1999 11:25:00 AM
From: VICTORIA GATE, MD	Read Replies (1) \| Respond to of 186894

Sales Of NT/Intel-Based Servers Jump (03/26/99, 5:13 p.m. ET) By Mary Jander, Data Communications The popularity of servers based on Windows NT and Intel processors is growing, despite the fact that sales are down for servers overall, according to a study released this week by International Data Corp. The study says that during the fourth quarter of 1998, worldwide server revenues were $16.2 billion, down 4 percent from the same period in 1997. But per-unit shipments of servers increased 22 percent. IDC said this can be traced to the increased popularity of comparatively cheap servers based on Intel processors, sales of which jumped 15 percent in the fourth quarter, compared with just a 3 percent increase in sales of high-end RISC-based servers running Unix. Further, revenue for servers running Windows NT increased by 28 percent. "The overall trend is that companies are getting more bang for the buck on Intel-based platforms running NT, so they're buying more of them instead of investing in high-end products," said Amir Ahari, senior analyst at IDC. He added that ease of use, familiarity with the Windows NT operating system, and availability of NT applications are helping popularize low-end servers. This holds true even though server vendors are having to tweak their wares to overcome what some call the inherent unreliability of NT, which many users claim results in 20 percent downtime. At the same time, vendors are finding it profitable to create smaller servers that sell well. "Departmental NT-based servers are getting to be commodities," said Greg Bennett, product marketing manager at Dell Computer in Round Rock, Texas. And according to IDC's Steve Josselyn, research director for commercial systems and servers, Asian market woes and focus on mainframe sales have hindered growth in servers from the likes of Hitachi and Fujitsu. Also, IBM has been selling its new high-end servers at a discount in order to make up for being late to market compared to its competitors, a move that's further reduced high-end server profit margins.

To: Amy J who wrote (77368)	3/28/1999 2:34:00 PM
From: Amy J	Read Replies (2) \| Respond to of 186894

Re: Virus. The virus/email is sent to 50 people in your MAPI address book (i.e. Outlook, Exchange, etc.)... which will make it "look" like the email/virus came from a friend/contact. Bottom-line: don't open an attachment from a friend/contact/anyone whose email subject line reads, "Important Message From <your friend's name>" Amy J Details: CERT Advisory CA-99-04-Melissa-Macro-Virus Systems Affected * Machines with Microsoft Word 97 or Word 2000 * Any mail handling system could experience performance problems or a denial of service as a result of the propagation of this macro virus. Overview At approximately 2:00 PM GMT-5 on Friday March 26 1999 we began receiving reports of a Microsoft Word 97 and Word 2000 macro virus which is propagating via email attachments. The number and variety of reports we have received indicate that this is a widespread attack affecting a variety of sites. Our analysis of this macro virus indicates that human action (in the form of a user opening an infected Word document) is required for this virus to propagate. It is possible that under some mailer configurations, a user might automatically open an infected document received in the form of an email attachment. This macro virus is not known to exploit any new vulnerabilities. While the primary transport mechanism of this virus is via email, any way of transferring files known to exploit any new vulnerabilities. While the primary transport mechanism of this virus is via email, any way of transferring files can also propagate the virus. Anti-virus software vendors have called this macro virus the Melissa macro or W97M_Melissa virus. I. Description The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most frequently been reported to contain the following Subject header Subject: Important Message From <name> Where <name> is the full name of the user sending the message. The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text. Here is that document you asked for ... don't show anyone else ;-) The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim. When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled. Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future. The macro then checks to see if the registry key "HKEY_Current_User\Software\Microsoft\Office\Melissa?" has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message. Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document. The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in templates the virus may execute without warning. For more information please see: microsoft.com Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for Applications) code associated with the "document.open" method. You can see the code by going into the Visual Basic editor. If you receive one of these messages, keep in mind that the message came from someone who is affected by this virus and they are not necessarily targeting you. We encourage you to contact any users from which you have received such a message. Also, we are interested in understanding the scope of this activity; therefore, we would appreciate if you would report any instance of this activity to us according to our Incident Reporting Guidelines document available at: cert.org II. Impact * Users who open an infected document in Word97 or Word2000 with macros enabled will infect the Normal.dot template causing any documents referencing this template to be infected with this macro virus. If the infected document is opened by another user, the document, including the macro virus, will propagate. Note that this could cause the user's document to be propagated instead of the original document, and thereby leak sensitive information. * Indirectly, this virus could cause a denial of service on mail servers. Many large sites have reported performance problems with their mail servers as a result of the propagation of this virus. III. Solutions * Block messages with the signature of this virus at your mail transfer agents. With Sendmail Nick Christenson of sendmail.com provided information about configuring sendmail to filter out messages that may contain the Melissa virus. This information is available from the follow URL: ftp://ftp.cert.org/pub/cert_advisories/Patches/CA-99-04-sendmail-m elissa-filter.txt * Utilize virus scanners Most virus scanning tools will detect and clean macro viruses. In order to detect and clean current viruses you must keep your scanning tools up to date with the latest definition files. scanning tools up to date with the latest definition files. + McAfee / Network Associates vil.mcafee.com avertlabs.com + Symantec symantec.com + Trend Micro housecall.antivirus.com * Encourage users at your site to disable macros in Microsoft Word Notify all of your users of the problem and encourage them to disable macros in Word. You may also wish to encourage users to disable macros in any product that contains a macro language as this sort of problem is not limited to Microsoft Word. In Word97 you can disable automatic macro execution (click Tools/Options/General then turn on the 'Macro virus protection' checkbox). In Word2000 macro execution is controlled by a security level variable similar to Internet Explorer (click on Tools/Macro/Security and choose High, Medium, or Low). In that case, 'High' silently ignores the VBA code, Medium prompts in the way Word97 does to let you enable or disable the VBA code, and 'Low' just runs it. Word2000 supports Authenticode on the VB code. In the 'High' setting you can specify sites that you trust and code from those sites will run. * General protection from Word Macro Viruses For information about macro viruses in general, we encourage you to review the document "Free Macro AntiVirus Techniques" by Chengi Jimmy Kuo which is available at. nai.com nai.com Acknowledgements We would like to thank Jimmy Kuo of Network Associates, Eric Allman and Nick Christenson of sendmail.com, Dan Schrader of Trend Micro, and Jason Garms and Karan Khanna of Microsoft for providing information used in this advisory. Additionally we would like to thank the many sites who reported this activity. ______________________________________________________________________ This document is available from: cert.org. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from cert.org. If you prefer to use DES, please call the CERT hotline for more information.