Melissa (computer virus)

Last updated
Melissa
Common nameMelissa
Technical name
Type Macro virus
Author(s)David L. Smith
Operating system(s) affected Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP [2]

The Melissa virus is a mass-mailing macro virus released on or around March 26, 1999. It targets Microsoft Word and Outlook-based systems and created considerable network traffic. The virus infects computers via email; the email is titled "Important Message From," followed by the current username. Upon clicking the message, the body reads, "Here's that document you asked for. Don't show anyone else ;)." Attached is a Word document titled "list.doc," containing a list of pornographic sites and accompanying logins for each. It then mass-mails itself to the first fifty people in the user's contact list and disables multiple safeguard features on Microsoft Word and Microsoft Outlook.

Contents

Description

The virus was released on March 26, 1999, by David L. Smith. [3] Smith used a hijacked AOL account to post the virus onto an Internet newsgroup called "alt.sex." [4] It soon ended up on similar sex groups and pornographic sites before spreading to corporate networks. However, the virus itself was credited to Kwyjibo , a macro virus writer for VicodinS and ALT-F11, by comparing Microsoft Word documents with the same globally unique identifier. This method was also used to trace the virus back to Smith.

The "list.doc" file contains a Visual Basic script that copies the infected file into a template file used by Word for custom settings and default macros. If the recipient opens the attachment, the infected file will be read to computer storage. The virus then creates an Outlook object, reads the first 50 names in each Outlook Global Address Book, and sends a copy of itself to the addresses read. [5] Melissa works on Microsoft Word 97, Microsoft Word 2000 and Microsoft Outlook 97 or 98 email clients. Microsoft Outlook is not needed to receive the virus in email, but it is unable to spread via other emails without it.

Impact

The virus slowed down email systems due to overloading Microsoft Outlook and Microsoft Exchange servers with emails. Major organizations impacted included Microsoft, Intel Corp, [6] and the United States Marine Corps. [7] The Computer Emergency Response Team, a Pentagon-financed security service at Carnegie Mellon University, reported 250 organizations called regarding the virus, indicating at least 100,000 workplace computers were infected, although the number is believed to be higher. [8] An estimated one million email accounts were hijacked by the virus. [9] The virus was able to be contained within a few days, although it took longer to remove it from infected systems entirely. At the time, it was the fastest spreading email worm.[ citation needed ]

A second payload occurred when the current minute matches the day when it is being launched, where the quote "Twenty-two points, plus triple-word-score, plus 50 points for using all my letters. Game's over. I'm outta here." is inserted into open Microsoft Word documents. This, and the Kwyjibo alias used in the macro script, both derive from an episode of The Simpsons, Bart the Genius. [10]

Arrest

On April 1, 1999, Smith was arrested in New Jersey due to a tip from AOL and a collaborative effort involving the FBI, the New Jersey State Police, Monmouth Internet, a Swedish computer scientist, and others. Smith was accused of causing US$80 million worth of damages by disrupting personal computers and computer networks in business and government. [11] [12]

On December 10, 1999, Smith pleaded guilty to a second-degree charge of computer theft [13] and a federal charge of damaging a computer program due to releasing the virus. [10]

On May 1, 2002, he was sentenced to 20 months in federal prison and fined USD $5,000. [14] [15]

See also

Related Research Articles

<span class="mw-page-title-main">Computer worm</span> Self-replicating malware program

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

The Goodtimes virus, also styled as Good Times virus, was a computer virus hoax that spread during the early years of the Internet's popularity. Warnings about a computer virus named "Good Times" began being passed around among Internet users in 1994. The Goodtimes virus was supposedly transmitted via an email bearing the subject header "Good Times" or "Goodtimes", hence the virus's name, and the warning recommended deleting any such email unread. The virus described in the warnings did not exist, but the warnings themselves were, in effect, virus-like. In 1997 the Cult of the Dead Cow hacker collective announced that they had been responsible for the perpetration of the "Good Times" virus hoax as an exercise to "prove the gullibility of self-proclaimed 'experts' on the Internet".

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Mydoom</span> Self-replicating malware program that spread by email

Mydoom was a computer worm that targeted computers running Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2024 has yet to be surpassed.

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS.

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.

Computer fraud is the use of computers, the Internet, Internet devices, and Internet services to defraud people or organizations of resources. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act (CFAA), which criminalizes computer-related acts under federal jurisdiction and directly combats the insufficiencies of existing laws. Types of computer fraud include:

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

ExploreZip is a destructive computer worm that attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999. The worm contains a malicious payload, and utilizes Microsoft Outlook, Outlook Express, or Exchange to mail itself out by replying to unread messages in the user's inbox. The worm also searches mapped drives and networked computers for Windows installations. If found, it copies itself to the Windows folder of the remote computer and then modifies the Win.ini file of the infected computer. On January 8, 2003, Symantec discovered a packed variant of this threat which exhibits the same characteristics.

<span class="mw-page-title-main">Mylife (computer worm)</span> Computer worm

MyLife, discovered by MessageLabs in 2002, is a computer worm that spreads itself by sending email to the addresses found in Microsoft Outlook's contacts list. Written in Visual Basic, it displays an image of a girl holding a flower while it attempts to delete files with certain filename extensions. It is named for a phrase appearing in the subject lines of the emails it sends. A variant, MyLife.B, also called the Bill Clinton worm, instead uses a subject line "bill caricature" and displays a cartoon image of Bill Clinton playing a saxophone. Many additional variants have been reported. When the infected file is run, and the picture is closed, the worm runs its payload. MyLife checks the current date. If the minute value is higher or at 45, the worm searches the C:\ directory and deletes .SYS files, .COM files and the same in D:\ Drives.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Happy99</span> Windows computer worm and early e-mail virus

Happy99 is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

Anna Kournikova was a computer virus that spread worldwide on the Internet in February 2001. The virus program was contained in an email attachment, purportedly an image of tennis player Anna Kournikova.

The Pikachu virus, also referred to as Pokey or the Pokémon virus, was a computer worm believed to be the first malware geared at children, due to its incorporation of Pikachu, a creature from the Pokémon media franchise. It was considered similar to the Love Bug, albeit slower in its spread and less dangerous.

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

References

  1. "Virus:W32/Melissa Description | F-Secure Labs". www.f-secure.com.
  2. "W97M.Melissa.A". Symantec. Retrieved 9 February 2013.
  3. Poulson. "Justice mysteriously delayed for 'Melissa' author". The Register .
  4. "Melissa Virus". Federal Bureau of Investigation. Retrieved 2022-04-01.
  5. "What is the Melissa Virus?". SearchSecurity. Retrieved 2022-04-06.
  6. "Melissa virus hits Outlook e-mail - Mar. 29, 1999". money.cnn.com. Retrieved 2022-04-01.
  7. McNamara, Paul (2014-03-25). "Melissa virus turning 15 … (age of the stripper still unknown)". Network World. Retrieved 2022-04-01.
  8. Markoff, John (1999-03-30). "Digital Fingerprints Leave Clues to Creator of Internet Virus". The New York Times. ISSN   0362-4331 . Retrieved 2022-04-01.
  9. "Melissa Virus". Federal Bureau of Investigation. Retrieved 2022-04-01.
  10. 1 2 "Melissa virus creator pleads guilty". BBC. 1999-12-09.
  11. Tracking Melissa's alter egos, ZDNet, 1999-04-02
  12. "The Melissa Virus: An $80 Million Cyber Crime in 1999 Foreshadowed Modern Threats". Federal Bureau of Investigation. Retrieved 2022-10-24.
  13. Lemos, Robert. "Smith pleads guilty to Melissa virus". ZDNet. Retrieved 2022-04-01.
  14. "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison" (Press release). U.S. Department of Justice. 2002-05-01. Retrieved 2006-08-30.
  15. "Press Release: Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison (May 1, 2002)". www.justice.gov. Retrieved 2020-01-05.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.