A key player in the Melissa virus case said federal investigators might have a more difficult time tracking down the author of the harmful WinExploreZip worm.
But evidence already obtained about the code and its intended targets should begin to help agents narrow the search, consultant Richard Smith said Friday.
Also:
Worm Targeting Virus Writers?
Worm Zeroes In on Microsoft
Dangerous Email Worm Crawls Net - - - - - -
"Virus writers leave a whole lot of clues behind and they can be traced," Smith said.
In the Melissa investigation, which began after the appearance of that virus in April, Smith was able to compare data discovered in earlier viruses and search Melissa accordingly. As a Word macrovirus, Melissa contained hidden but accessible clues in the form of English-language text.
Smith, president of Pharlap Software, found the name of Melissa's alleged author, David L. Smith, embedded in the code. Investigators ultimately traced him through his dialup connection to the Internet.
WinExploreZip appears to be a tougher nut to crack. As executable code written in the Delphi language, the worm lacks the embedded text that might otherwise include the author's name and details about computer file directories and paths.
"The key issue here is if there are any telltale signs in that file," Smith said. "Executables sometimes have telltale information, but generally less [than macroviruses like Melissa]."
A spokeswoman for the FBI, meanwhile, said that the bureau had no new information on their investigation. But late Friday the agency's press office issued a statement saying the investigation was going into high gear because of the worm's power.
"The ExploreZip worm has the potential of doing significant damage to private sector and government computer systems," the statement said.
The agency urged victims to contact FBI field offices nearest them. "Transmission of malicious code can be a federal criminal offense and the FBI is aggressively investigating this matter. The [National Infrastructure Protection Center] is monitoring developments and coordinating field office investigations."
The knowledge that WinExploreZip was written in Delphi will at least tip off investigators in the direction of online discussion groups focused on that language. Posters there could be among the suspects. Also, Smith said, programmers like to sign their "work," so the code will have to be studied closely for such a signature string.
Smith said that the text fingerprints often left behind by virus writers has sent some of them into retirement.
For example, the author of the ubiquitous but harmless Happy99 worm recently announced his retirement in an online discussion forum. That largely harmless but annoying executable file stealthily attached itself to outgoing email messages. It simply played a short fireworks animation on the victim's screen.
"The guy who wrote it said 'I'm out of here' after Melissa," Smith said. "He thought it was too identifiable. 'Too many clues get left behind,' he said. And he's correct."
Virus writers are learning to fear the consequences of their code. Beyond criminal charges, a program that unleashes destruction upon a corporation's computer files can easily become a civil lawsuit.
"A lot of [virus authors] don't have the resources to handle this kind of trial – so they can really be up a creek," said Smith.
Still, whoever wrote WinExploreZip may feel safe behind a wall of obtuse instructions that offer few identifying clues. Bill Orvis, a security specialist for the Department of Energy's Computer Incident Advisory Capability, said he's examined WinExploreZip code line by line and he has come up empty-handed.
"There's not too much in it that could point you at who actually did it," said Orvis. But he agreed that the Delphi language connection is a means of narrowing the hunt.
Paul Hoffman, executive director of the Internet Mail Consortium, said that simply tracing the worm's email path to its point of origin – apparently in Israel – would be a daunting task.
"You would have to find the first set of people who got it and track it back to the individual who sent it to them," said Hoffman. "And the sender's address is most likely bogus." Nothing in the headers of the copy of the virus Hoffman received contains anything telling.
"It seems much less likely they'll find the creator in this case."
Meanwhile, Orvis said that damage reports by midday Friday were remarkable.
"The reports I'm getting is that [damage at] the sites it is hitting [is] severe."
Orvis said WinExploreZip is not spreading nearly as quickly as Melissa did, but "when it hits, it hits bad."
"It's wiping out so many files on people's systems. And if it does that to a whole office full of computers ... it's going to be some time before they can get everything working again."
Orvis wouldn't identify the companies that had reported to the CIAC, or how many.
Related Wired Links:
Time-Bomb Virus Explodes on PCs
26.Apr.99
Melissa Was But a Sniffle
22.Apr.99
'Melissa' Police Work Lauded
2.Apr.99.
Melissa, Spawned by Spam
30.Mar.99
FBI Warns of Melissa Virus
29.Mar.99
Don't Mess with 'Melissa'
29.Mar.99
