The real message Melissa.W (aka Melissa.X) brings us may be lost amid the hoopla. This Macintosh Office 2001 macro virus that cross-infects all versions of Windows highlights a troubling limitation of many antivirus scan engines. They simply don't detect the Mac format. While a quick signature update might solve the Melissa.W occurrance in the short term, the fact is there are other such variants of macro viruses threatening users.

According to MessageLabs, "AV vendors who have issued signature updates to catch Melissa in Mac office 2001 are missing the point. There are at least 10 other viruses in the wild in Mac Office 2001 format. AV vendors who cannot catch viruses in Mac Office 2001 documents need to issue an engine upgrade as soon as practicable."

Testing of antivirus products for detection of the Mac Office 2001 format viruses revealed the only vendors capable of successfully detecting the Mac Office 2001 format were: AVP (Kaspersky), Command Software, Computer Associates, F-Secure, Panda Software, and Symantec. Other vendors, such as Trend, Sophos, Network Associates (McAfee), Norman, and Alwil, require both engine updates and signature files to detect the new Melissa and other Mac Office 2001 infectors.

Alex Shipp, Senior Antivirus Technologist for MessageLabs, expressed concern, "Following last weeks Melissa outbreak, it has become apparent that many older virus scanners are unable to detect viruses in Microsoft Macintosh Office 2001 documents. In order to get some idea of the scale of the problem, we rechecked all viruses in Microsoft Office documents stopped by MessageLabs so far in January. We found 10 other viruses in Macintosh Office 2001 documents. All of these were undetected by the same virus scanners that were unable to detect the Melissa outbreak. Vendors which have bought out specific patches to detect Melissa, but have not changed their underlying scanner engine, are therefore still vulnerable."

Infected variants of macro viruses that may remain undetected include W97M/Marker, W97M/Thus, W97M/Story, and an as yet unnamed new variant MessageLabs has temporarily dubbed W97M/PSD. It appears these variants were created when infected users upgraded from previous versions of Macintosh Office.

Previous Articles