The RISKS Digest
Volume 20 Issue 26

Thursday, 1st April 1999

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


The Y9Z Problem
Mark Thorson
Yet another Y2K debacle
Jon Loux
Vatican announces all computer systems ready for new millennium
Matthew Todd
Y10K opportunity
Matthew Todd
Torvalds, SlashDot, and Stallman
Martin Minow
Melissa and RISKS
Melissa macro virus
Rob Slade
Melissa and monoculture
Nick Leverton
Melissa and GUIDs
Ronan Waide
Melissa + meme = future disaster
Bear Giles

The Y9Z Problem

Mark Thorson <>
Sun, 14 Mar 1999 17:20:29 -0800 (PST)
In my extensive consulting work on the Y2K problem, a new problem has come
to my attention.  One thing all of my clients have in common is that we are
forbidden from touching the database format — only the source code may be
modified.  Further, we use formal methods for proof of program correctness,
so any change we make actually costs more to verify than to develop the
change itself.

Because of these restrictions, all of my clients have opted to allow the
date field to roll over from 99 to 9A in the year 2000.  But this only buys
another 26 years of service.  What happens in the year 199Z (i.e. 2025 AD)?

Only one client (a company with a strong "do it right the first time"
corporate philosophy) has opted to follow my recommendation, which is that
the year 199Z be followed by the year 19A0.  This buys another 936 years, to
the year 19ZZ (i.e. 2961 AD).

Because of the verification requirement, this is more than twice as
expensive as the 26-year fix.  Rather than doubling the effort required for
the single digit, it's more like the effort squared to apply to two digits.

What year follows 19ZZ?  My recommendation is that the year 19ZZ be followed
by the year represented by "2000".  If we can't fix the problem by then, we
deserve the fate of extinction.  Hopefully, our bones will serve as a source
of calcium for whatever superior species comes along to replace us.

Mark Thorson (

Yet another Y2K debacle

Mon, 22 Mar 99 08:19:37 EST
I found this in a respected journal of scientific neatstuff.

                Researchers Find Y2K Bug in Human Brain!
                       by Natalie N. Quirer

Researchers at the Yale Neurological Sciences Department announced today
that they have discovered a millennium bug implanted in the brains of human
beings.  "The brain is just a big computer, like any other," says Dr. Uri
Ignoramus of the Synaptic Research Lab.  "It has to keep track of times and
dates.  Like when you wake up just before your alarm clock or remember your
mother's birthday a day late.  Stuff like that."

According to researchers, when the clock strikes midnight in January 2000,
power outages and planes falling from the sky will be the least of our
worries.  Along with such mundane annoyances like frozen bank accounts and
nuclear detonations, add epileptic like seizures, an uncontrollable desire
to watch the Rosanne Show, and suddenly not being able to remember where
your keys are or why you are living in the same building with that ghastly

"Billions of years of evolution," says noted Nobel laureate Albert
Bearstein.  "You'd think they could have anticipated this sort of thing.
Just how did they manage the year 0 rollover, anyway?"

In anticipation of the impending cranial apocalypse, experts insist that the
population stay calm.  "There is plenty of time for panic later."

In the meantime, stock up on St. John's wort......

Jon Loux, Data Administration, University of Connecticut

Vatican announces all computer systems ready for new millennium

"Matthew Todd" <>
Thu, 1 Apr 1999 08:59:26 +0600
Vatican announces all computer systems ready for new millennium

Rome, Washington, London and Delhi, 1 Apr (Routers) A spokesman for the IT
department of one of the world's smallest states, the Vatican City,
announced yesterday that all computer systems of the Roman Catholic church
world-wide were now ready for the next millennium.

Asked what solution had been used to combat the so-called "Y2K problem", he
said that the solution had been simple. "All we did was to revert to the
Roman numbering system. This makes the current year MCMXCIX. Next year will
be MM. Since this is shorter than the current representations there will not
be a storage problem. Also, since there is no zero in the Roman number
system nothing will reset."

The spokesman also pointed out that the absence of a zero also categorically
proved the new millennium would begin in MMI. He explained that the zero had
been introduced in MCCII by an Italian mathematician called Fibonacci. This
explained why there was no confusion at the start of the current millennium
in MI.

The church is now considering excommunicating Fibonacci for the confusion he
has caused.

Subsequently in Washington, a spokesman for US President Bill Clinton said,
"we think that it is harsh to pin the blame on one poor Italian. After all,
they are Arabic numbers. Clearly we must break all ties with the Arab world
until they hand over those responsible."

"In the past, the number zero was known as a cipher. Clearly this shows that
strong cryptography is harmful and the Government must retain control."

In a separate development, Prime Minister Vajpayee of India pointed out that
"actually, the number zero was invented in India in about 876AD. Clearly the
Arabs and the West have no concept of nothing. Only South Asians can really
understand what it means."

It is unclear whether he was trying to say that only the Indian software
industry could solve Y2K. It is thought that a case may be brought to WIPO
concerning the loss of intellectual property suffered by India for the last
DCCC years. Damages could run to billions of dollars.

Y10K opportunity

"Matthew Todd" <>
Thu, 1 Apr 1999 09:33:03 +0600
Date: 1 April 9990
> From: System Proving Office and Original Fault Finding, MacroHard Corporation
To: Bob Gates-Windows-Doors III, CEO MacroHard Corporation
Subject: Y10K

It would seem that a potentially serious fault exists which will affect all
known computer systems containing a date processor. This fault could have
catastrophic consequences on January 1, 10000. The origin of the fault has
been traced to a programming error which originated in the late years of the
20th century, when computing was in its infancy and had not developed into
the science which it is today.

It seems that before the historic splitting of the parent company of
MacroHard and Microsoft, as ruled by the US Supreme Court, that programmers
around the world all mistakenly wrote software using only 4 digits to
represent the year. Furthermore, this was then built into the hardware of
the time.

Huge amounts of effort were expended in the early days of computing
correcting an even earlier "bug" when only two digits had been used in some
systems to represent the year. Why at that time no-one had the foresight to
properly correct this error no-one can tell, although speculation rests with
some quasi-religious belief that the world would come to an end in the new
millennium, so they only had to get through to 2001.

This error has been built into all processing chips of the MacroHard
Corporation ever since its formation out of the remains of MS-OS, Intel and
AMI following the ruling of the Supreme Court. The effects of this error
could be disastrous. On January 1, 10000 all systems containing a MacroHard
chip will roll-over to 0000. Due to backward compatibility with MS-DOS this
will then be interpreted by the operating system as either January 1, 1980
or January 0, 1900.

Explanation: MS-DOS was the first operating system of the MS organisation
and originally did not recognise dates before 1980; when MS introduced its
Excel spreadsheet program, only dates after 1900 were recognised as valid

Other problems: Y10K is a leap year, so was 1980, but 1900 wasn’t,
therefore 29 February, 10000 may cease to exist on some
systems. Fortunately, MS foresaw this by including 29 February, 1900 as a
valid date in their MS-Excel package.

Note: a similar problem to this was overcome in 2099 by MacroHard, when all
processors would have reset themselves to 1980 on January 1, 2100. However,
at that time it was still considered adequate to use four digits to
represent the year.

MacroHard chips are now embedded in so many systems that control the day to
day lives of every citizen in the known universe that urgent action is
required. We recommend the establishment of a secret Y10K task force to
consider possible options and defence strategies to protect MacroHard
Corporation from the potential fallout.

Replacing every single MacroHard chip for free is clearly not an option, as
although this would be within the financial means of the company it is
against corporate policy. One possible solution, based on the previous
history of Microsoft with Y2K is to announce the potential problem, but pin
the blame on those who made bad decisions in the past for short-sighted
gain. We can then announce a new generation solution, which will be Y10K
compliant - possible name: System 10000. This solution can then be sold on
the open market. Anyone choosing not to upgrade could be held responsible
for the consequences, since we would have given them both adequate warning
of the impending disaster, and would have provided an alternative. If we fix
the price well in advance we should be able to turn this into a healthy
profit making opportunity.

At the moment we have almost 10 years to take advantage of this opportunity,
so it may still be too early to make an announcement. However, timing is
critical, since we don't want anyone else to realise this is going to happen
beforehand or they might try to pin the blame on us.

Torvalds, SlashDot, and Stallman

Martin Minow <>
Wed, 31 Mar 1999 20:48:35 -0800
<> (good Thursday, April 1)
reports on changes in the software industry: Linus Torvalds starts
LinusSoft, a for-profit operating system venture (they expect to file for an
IPO within 36 hours). Also, SlashDot <> (home of many
open-source related flames) launches Slashdot Investor.

Also, "In Redmond, Microsoft announced that Free Software Foundation founder
Richard Stallman had accepted the new position of Senior Vice President for

Martin Minow,

Melissa and RISKS

"Peter G. Neumann" <>
Tue, 30 Mar 1999 08:01:17 PST
With all the furor since last Friday over the Melissa virus-like Trojan
horsed e-mail propagation (see next items), deeper issues are somehow lost
in the shuffle.  The vulnerabilities exploited in the MS Word macro virus in
Microsoft Outlook and Outlook Express have been around for a long time and
are likely to be around for a long time.  Although some palliative fixes are
available, the fundamental problems remain.  (For example, filters deleting
e-mail with "Subject: Important Message from ..." are only partially useful,
in light of recent versions of Melissa with blank Subject lines.)  The basic
system infrastructure is incapable of adequately protecting itself against
all kinds of misuses, and this particular exploit is just another reminder
that many folks need to wake up.  The situation could have been much worse,
but unfortunately many folks who depend on systems that are inherently
inadequate do not get the proper messages when the situation is *not* a
terrible disaster.  On the other hand, even if we had terrible disasters, it
does not seem to be enough.  And this was presumably not even an early April
Fool's spoof — just another example microcosmically of what could be done
macrocosmically.  Many of the constructive lessons that should have been
learned from the Internet Worm over 10 years ago are still unlearned.

  [The late-breaking news (31 Dec 1999) that Yugoslav crackers are
  performing denial-of-service attacks against the NATO Website should
  also come as no surprise.  Can it be that only RISKS readers realize
  how flaky our compunications <*> infrastructures are?]

    [* I spent last Saturday at the 70th birthday roast for my PhD thesis
    professor, Tony Oettinger, who long ago coined the combining term
    "Compunications".  In that the string "pun" is contained therein, it
    seemed appropriate to mention it here.  PGN]

Melissa macro virus

Rob Slade <>
Tue, 30 Mar 1999 16:51:23 -0800
A report prepared by Robert M. Slade

The following is an attempt to bring together the information about the
Melissa virus.  It is taken from the most reliable available sources.
Additional sites have been listed at the end of the article.  I have not
added a copyright line to this message in order to allow it to be used as
needed.  I will be posting the latest updated version of this article at and

The virus, generally referred to as W97M.Melissa.A (with some variations:
Symantec, in a rather strained effort to be cute, seems to be calling it
"Mailissa"), is a MS Word macro virus.  This means that, if you don't use
Word, you are safe.  Completely safe.  (Except for being dependent upon
other people who might slow their/your mail server down.  More on that
later.)  If you need to look at MS Word documents, there is a document
viewer available (free, as it happens) from Microsoft.  This viewer will not
execute macros, so it is safe from infection.

In the messages about Melissa, there have been many references to the
mythical and non-existent "Good Times" virus.  Note that simply reading the
text of a message still cannot infect you.  However, note also that many
mailers, in the name of convenience, are becoming more and more automated,
and much of this automation concerns running attached files for you.  As
Padgett Peterson, author of one of the best macro virus protection tools,
has stated, "For years we have been saying you could not get a virus just by
"opening E-Mail.  That bug is being fixed."

Melissa does not carry any specifically damaging payload.  If the message is
triggered there will be text added to the active document.  The mailout
function can cause a large number of messages to be generated very quickly,
and this has caused the shutdown of a number of corporate mail servers.

If you have Word set with macros disabled, then the virus will not active.
However, relying on this protection is a very dangerous proposition.
Previous macro viruses have also killed macro protection in Word, and this
one does as well.

The name "Melissa" comes from the class module that contains the virus.  The
name is also used in the registry flag set by the virus.

The virus is spread, of course, by infected Word documents.  What has made
it the "bug du jour" is that it spreads *itself* via e-mail.  We have known
about viruses being spread as attachments to e-mail for a long time, and have
been warning people not to execute attachments (or read Word documents sent
as attachments) if you don't know where they came from.  Happy99 is a good
example: it has spread very widely in the past month by sending itself out
as an e-mail attachment whenever it infects a system.

Melissa was originally posted to the newsgroup.  At that time it was
LIST.DOC, and purported to be a list of passwords for sex sites.  I have
seen at least one message theorizing that Melissa is someone's ill-conceived
punishment for viewers of pornography.  This hypothesis is extremely
unlikely.  Sending a virus to a sex related newsgroup seems to be a reliable
way to ensure that a number of stupid people will read and/or execute your
program, and start your new virus off with a bang.  (No pun intended.)

If you get a message with a Melissa infected document, and do whatever you
need to do to "invoke" the attachment, and have Word on your system as the
default program for .doc files, Word starts up, reads in the document, and
the macro is ready to start.  If you have Word's "macro security" enabled
(which is not the default) it will tell you that there is a macro in the
document.  Few people understand the import of the warning, and there is no
distinction between legitimate macros and macro viruses.

Because of a technical different between normal macros and "VBA objects," if
you ask for a list of the macros in the document, Melissa will not show up.
It will be visible if you use the Visual Basic Editor, but only after you
have loaded the infected file.

Assuming that the macro starts executing, several things happen.

The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word 9) is
running.  If so, it reduces the level of the security warnings on Word so
that you will receive no future warnings.  In Word97, the virus disables the
Tools/Macro menu commands, the Confirm Conversions option, the MS Word macro
virus protection, and the Save Normal Template prompt.  It "upconverts" to
Word 2000 quite nicely, and there disables the Tools/Macro/Security menu.

Specifically, under Word 97 it blocks access to the Tools|Macro menu item,
meaning you cannot check any macros.  It also turns off the warnings for
conversion, macro detection, and to save modifications to the NORMAL.DOT
file.  Under Word 2000 it blocks access to the menu item that allows you to
raise your security level, and sets your macro virus detection to the lowest
level, that is, none.  (Since the access to the macro security menu item is
blocked, I do not know how this feature can be reversed, other than
programmatically or by reinstallation.)

After this, the virus checks for the
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key
with a value of "... by Kwyjibo".  (The "kwyjibo" entry seems to be a
reference to the "Bart the Genius" episode of the "Simpsons"
television program where this word was used to win a Scrabble match.)

If this is the first time you have been infected (and this "first time"
business is slightly complicated), then the macro starts up Outlook, in the
background, and sends itself as an attachment to the "top" 50 names in
*each* of your address lists.  (Melissa will *not* use Outlook Express.)
Most people have only one (the default is "Contacts"), but if you have more
than one then Outlook will send more than 50 copies of the message.  Outlook
also sorts address lists such that mailing lists are at the top of the list,
so this can get a much wider dispersal than just fifty copies of the
message/virus.  There was also a mention on one message about MAPI and
Exchange servers, which may give access to a very large number of mailing
lists.  From other reports, though, people who use Exchange mail server are
being particularly hard hit.  Then again, people who use Exchange are
probably also standardized on Word and Outlook.

Some have suggested setting this registry key as a preventive measure, but
note that it only prevents the mailout.  It does not prevent infection.  If
you are infected, and the registry key is removed at a later date, then a
mailout will be triggered the next time an infected document is read.

Once the messages have been sent, the virus sets the Melissa flag in the
registry, and looks for it to check whether or not to send itself out on
subsequent infections.  If the flag does not persist, then there will be
subsequent mass mailings.  Because the key is set in HKEY_CURRENT_USER,
system administrators may have set permissions such that changes made are
not saved, and thus the key will not persist.  In addition, multiple users
on the same machine will likely each trigger a separate mailout, and the
probability of cross infection on a common machine is very high.

Since it is a macro virus, it will infect your NORMAL.DOT, and will infect
all documents thereafter.  The macro within NORMAL.DOT is "Document_Close()"
so that any document that is worked on will be infected when it is closed.
When a document is infected the macro inserted is "Document_Open()" so that
the macro runs when the document is opened.

Note that *not* using Outlook does not protect you from the virus, it only
means that the 50 copies will not be automatically sent out.  If you use
Word but not Outlook, you will still be infected, and may still send out
infected documents on your own.  The virus also will not invoke the mailout
on Mac systems, but definitely can be stored and resent from Macs.  At this
time I do not have reliable information about whether it can reproduce on
Macs (there is one report that it does), but the likelihood is that it can.

Vesselin Bontchev has noted that the virus never explicitly terminates the
Outlook program.  It is possible that multiple copies may be invoked, and
may create memory problems.  However, this has not been confirmed, and is
not probable given the "first time" flag that is set.

The message appears to come from the person just infected, of course, since
it really is sent from that machine.  This means that when you get an
"infected" message it will probably appear to come from someone you know and
deal with.  The subject line is "Important Message From: [name of sender]"
with the name taken from the registration settings in Word.  The test of the
body states "Here is that document you asked for ... don't show anyone else
;-)".  Thus, the message is easily identifiable: that subject line, the very
brief message, and an attached Word document (file with a .doc extension to
the filename).  If you receive a message of this form *DO NOT OPEN THE
DOCUMENT WITH WORD!* If you do not have alternate means or competent virus
assistance, the best recourse is to delete the message, and attachment, and
to send a message to the sender alerting them to the fact that they are,
very likely, infected.  Please note all the specifics in this paragraph, and
do not start a panic by sending warnings to everyone who sends you any
message with an attachment.

However, please also note that, as with any Word macro virus, the source
code travels with the infection, and it will be very easy to create
modifications to Melissa.  (The source code has already been posted to one
Web site.)  We will, no doubt very soon, start seeing many Melissa variants
with different subjects and messages.  There is already one similar Excel
macro virus, called "Papa."  The virus contains the text "Fred Cohen" and
"," leading one rather ignorant reporter to assume that Fred was the
author.  Dr. Cohen was the first person to do formal research into viral

There is a message that is displayed approximately one time in sixty.  The
exact trigger is if the current system time minute field matches the current
system time day of the month field when the virus is run.  In that case, you
will "Twenty-two points, plus triple-word-score, plus fifty points for using
all my letters.  Game's over. I'm outta here." typed into your document.
(This is another reference to the "Simpsons" episode referred to earlier.)

One rather important point: the document passed is the active document, not
necessarily the original posted on  So, for example, if I am
infected, and prepare some confidential information for you in Word, and
send you an attachment with the Word document, containing sensitive
information that neither you nor I want made public (say, the fact that Bill
Gates is a jerk for having designed the technology this way), and you read
it in Word, and you have Outlook on your machine, then that document will be
mailed out to the top 50 people in your address book.

Rather ironically, a clue to the identity of the perpetrator may have come
from the identification number embedding scheme recently admitted by
Microsoft as having been included with Office and Windows 98.
   [Traced to an AOL user, apparently...  PGN]

A number of fixes for mail servers and mail filtering systems have been
devised very quickly.  However, note that not all of these have fully tested
or debugged.  One version that I saw would trap most of the warning messages
about Melissa.

Note that any Word document can be infected, and that an infected user may
unintentionally send you an infected document.  All Word documents, and
indeed all Office files, should be checked for infection before you load

Information and antiviral updates (some URLs are wrapped):
  news/0,4586,2233030,00.html,1087,3_89011,00.html    or

Melissa and monocultures

Nick Leverton <>
Wed, 31 Mar 99 13:54:52 GMT
The current outbreak of the Microsoft Word "Melissa" virus/worm is a
graphical illustration of the RISKS of monoculture.  Agriculturalists long
ago discovered the problems of single strain crops, in that they provide an
ideal habitat for an adapted pest or disease which can wipe them out.

With W97M/Melissa, the global e-mail network of at least one major
international computer corporation with which I am familiar had to be
disabled for 24 hours on Mon/Tue 1999-03-29 to 1999-03-30 to prevent the
spread of Melissa-infected documents.  (Melissa, for those fortunate enough
not to have encountered it, is a Microsoft Word 97 macro virus, which also
acts as a worm by reading 50 entries from a Microsoft address book and
mailing itself out with subject "Important information from ...").

Ironically, and the point of this mail, sites within the corporation still
running the older Unix/X.400 environment or the niche Unix/SMTP environment
were unaffected, except that they were brought down too by the lack of
connectivity from corporate mail gateways.  A heterogeneous environment
poses much greater barriers to the spread of this or any virus.  Reliance on
a single product or family of products, from a similar supplier, is a RISK
that is familiar in the engineering and farming professions but needs to be
better known in the computing ones.

Nick Leverton

  [Lloyd Wood notes that Microsoft itself put a halt to all outgoing
  e-mail throughout the company on Friday to guard against propagation.]

Melissa and GUIDs

Ronan Waide <>
Tue, 30 Mar 1999 17:05:50 +0100 (IST)
Of course, conspiracy folks can enjoy the following course of events:

1 Presence of GUID in Microsoft-made documents revealed.
2 Melissa worm wreaks havok on the net.
3 Alleged author of worm tracked with GUIDs.

Let's wait for

4 Microsoft praised for having GUIDs in documents. / Small Planet Ltd. / +353-1-8303455 / +353-1-8300888 (Fax)

Melissa + meme = future disaster

Bear Giles <>
Sun, 28 Mar 1999 12:03:11 -0700 (MST)
While reading the press coverage about the Melissa e-mail virus/work, it
occurred to me that a trivial change would make it *far* worse.

The problem was that Melissa advertised pornographic sites, so it was often
brought to the attention of responsible parties who could recognize it was a
virus and take appropriate measures.  If it were a human virus, it would be
something that sent people rushing to the doctor.

What if Melissa's message were something innocuous?  What if it was a meme
with a proven track record of being readily passed from person to person?

  Make $20,000 with only $5!

  Send your business card to a dying child seeking to get into the
  Guiness Book of World Records!

  Send this message to 100 friends and get a free trip to Disney World
  from Bill Gates and Disney!

When people feel good, how many rush to the doctor to verify it isn't due to
brain cancer?  Of those who do, how many are taken seriously?

The most obvious effect of this change is that far fewer people would bring
the message to the attention of their MIS department or ISP. Even hardened
security experts might let the message slide as just another scam or urban
legend.  Only the sheer volume of messages would indicate that something odd
was occurring.

A less obvious effect of this change is even worse.  Few people would
forward an ad for pornographic sites on their own, but the aforementioned
messages (and others) *are* forwarded.  With changes.  The current virus can
be easily caught at the mail server by checking the subject line... but what
if "helpful" individuals were personalizing it?  Ditto the non-viral

Even if it's technically possible to scan the contents of every mail
document for an embedded macro virus, is it ethical?  Such a filter would be
invasive... and yet offer no guarantee that a copycat virus wouldn't get
through.  The real problem, after all, isn't in the virus itself, it's in an
application for a *single* company defying all common sense and loading
macros from e-mail.  I think it's no coincidence that I haven't seen this
virus...  and I and my friends all run either Linux or MacOS.

Bear Giles <>

Please report problems with the web pages to the maintainer