Melissa (computer virus)
|This article needs additional citations for verification. (January 2011)|
|Author(s)||David L. Smith|
|Operating system(s) affected||Microsoft Windows 98|
The Melissa virus, also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus. As it is not a standalone program, it is not a worm.
First found on March 26, 1999, Melissa shut down Internet E-mail systems that got clogged with infected e-mails propagating from the virus. Melissa was not originally designed for harm, but it overloaded servers and caused problems.
Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allowed access into 80 pornographic websites. The virus' original form was sent via e-mail to many people.
David L. Smith
Melissa was put in the wild by David L. Smith of Aberdeen Township, New Jersey (The virus itself was credited to Kwyjibo, who was shown to be macrovirus writers VicodinES and ALT-F11 by comparing MS Word documents with the same globally unique identifier — this method was also used to trace the virus back to Smith.) Smith was sentenced to 10 years, serving 20 months, and was fined US $5,000. The arrest was the result of a collaborative effort involving (amongst others) the FBI, the New Jersey State Police, Monmouth Internet and a Swedish computer scientist.
If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.
When the macro mass-mails, it collects the first 50 entries from the alias list or address book and sends itself to the e-mail addresses in those entries.
This is another variant of the original Melissa macro virus, and is akin to Melissa.U. It uses Microsoft Outlook, and tries to send itself to the first 40 addresses in Outlook's address book. The subject line of the infected e-mail sent out is: "My Pictures (<Username>)", where <Username> is the name to whom the sender's copy of Microsoft Word is registered.
There is also a variant of the virus named Melissa.V/E which is known to seek and destroy Microsoft Excel documents, randomly deleting sets of data from files, or, at the worst, making them completely useless by applying a set of malicious Macro code. To simplify the code, the author has encrypted only a vectorial search pattern in it, so the virus can only delete linear sets of data, usually random rows or columns in a table. It also has a search parameter that makes it go only for unique sets of data, known to cause more damage.
A later edit of this variant makes backup copies of the destroyed files, and asks for a ransom of $100 to be transferred into an offshore account in return for the files. The account has been traced back to the owner. Due to a malfunction in code, in less than 1% of cases the code still makes copies.
This virus was rendered obsolete when it was discovered that it leaves visible traces in the Windows Registry, providing enough data to ensure its destruction and the retrieval of stolen data .
A special version of this variant also modifies the backed-up data, fooling the user even more. It searches for numeric data inside the files, and then, with the help of a random number generator, slightly modifies the data, not visibly, but making it useless.
There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately. It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z:.
Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".
Melissa.W does not lower macro security settings in Word 2000. Otherwise it is functionally equal with Melissa.A.
This is what the e-mails from this version contain:
Subject: Extremely URGENT: To All E-Mail User - <19.12.99> Attachment: <Infected Active Document> Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.
Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month. The payload consists of the virus inserting the following string into the document: "Worm! Let's We Enjoy."
- Timeline of computer viruses and worms
- List of computer viruses
- Morris worm
- SQL Slammer
- Code Red (computer worm)
Notes and references
- "W97M.Melissa.A". Symantec. Retrieved 9 February 2013.
- Poulson. "Justice mysteriously delayed for ‘Melissa’ author".
- "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison" (Press release). U.S. Department of Justice. 2002-05-01. Retrieved 2006-08-30.
- Tracking Melissa's alter egos, ZDNet, 1999-04-02
- Vincentas (6 July 2013). "Melissa in SpyWareLoop.com". Spyware Loop. Retrieved 28 July 2013.
- Kaminski, Jakub. "Virus:W97M/Melissa.A". Microsoft Malware Protection Center. Microsoft Corporation. Retrieved 11 February 2013.