The Melissa virus was a mass-mailing macro virus from March 1999. It was one of the more notorious computer viruses of the 1990s, and reportedly the author named it for a dancer he met in a Florida nightclub. Authorities quickly identified the author, David Lee Smith, and arrested him in New Jersey on April 1, 1999. He served two and a half years in prison and paid $7,500 in fines for creating the virus.
Melissa started by taking over Microsoft Word running on its victims’ computers. It then used a macro to hijack their Microsoft Outlook e-mail client and send messages to the first 50 addresses in their Outlook address book. Those messages, in turn, tempted recipients with a virus-laden attachment under names as “sexxxy.jpg” or “naked wife” or the deceitful assertion, “Here is the document you requested … don’t show anyone else ;-).” This devious social engineering let the virus operate like a sinister, automated chain letter.
Description of the Melissa Virus
David Lee Smith, then aged 30, released the virus on Friday March 26, 1999. Smith used a hijacked AOL account to post the virus onto an Internet newsgroup called “alt.sex.” The owner of the account was a 37-year-old civil engineer from Lynnwood, Wash. named Scott Steinmetz. He described himself as barely computer literate. Steinmetz’ inbox filled with angry replies and he quickly found out he was a suspect. He turned himself in for questioning and the FBI rapidly cleared him. Ironically, Steinmetz’s own work e-mail account received a copy of the virus as Melissa spread to corporate networks.
Clues in the code led authorities to the rightful author. The code resembled code written by a virus writer who used the alias VicodinES. A virus toolkit on Vicodin’s website contained code with names embedded in it. One of the names that appeared three times in the toolkit was David L. Smith.
Both Smith and VicodinES used the same ISP in New Jersey, and VicodinES operated a web server physically located in Orlando. New Jersey authorities who examined the web server determined that Smith and VicodinES were not the same person, and that Smith borrowed code extensively from VicodinES, but Smith coded the part of the virus that did the damage.
How the Melissa virus worked
The “list.doc” file contains a Visual Basic script that copies the infected file into a template file used by Word for custom settings and default macros. If the recipient opens the attachment, the virus creates an Outlook object. It then reads the first 50 addresses in each Outlook Global Address Book and sends a copy of itself to them. Melissa works on Microsoft Word 97, Microsoft Word 2000 and Microsoft Outlook 97 or 98 e-mail clients running under Windows or a Macintosh. Other e-mail clients can receive the virus, but Melissa requires Outlook to spread further. Notably, it was not compatible with Outlook Express.
A second payload occurs when the current minute matches the day when it is being launched. When this happens, Melissa inserts a quote from an episode of the Simpsons, Bart the Genius: “Twenty-two points, plus triple-word-score, plus 50 points for using all my letters. Game’s over. I’m outta here,” into open Microsoft Word documents. The Kwyjibo alias used in the macro script was also a reference to the Simpsons episode Bart the Genius.
Impact
The timing of the release early on a Friday morning allowed it to spread very quickly through corporate environments. The virus slowed down e-mail systems at more than 300 organizations due to overloading Microsoft Outlook clients and Microsoft Exchange servers with e-mails. Major organizations impacted included Microsoft, Intel Corp, and the United States Marine Corps. The Computer Emergency Response Team, a Pentagon-financed security service at Carnegie Mellon University, reported 250 organizations called regarding the virus, indicating at least 100,000 workplace computers were infected. Not everyone reported of course, so the total number affected has been estimated at closer to one million. Victim organizations contained the virus within a few days, although complete removal took longer. At the time, it was the fastest spreading e-mail worm in history.
Cleaning up late 90s viruses was very time consuming and it turned antivirus into must-have software in work environments. It became so lucrative that companies like Intel and Blackberry eventually got into the antivirus business.
My then-employer wasn’t impacted much by Melissa, but I think it was a matter of timing. That organization was impacted severely by a later virus called Love Letter. I headed up that organization’s Love Letter incident response, and determined expired antivirus software was the main thing leaving them vulnerable. The antivirus software that didn’t protect them from Love Letter most likely still had valid subscriptions when Melissa was released.
Arrest
On April 1, 1999, authorities in New Jersey arrested Smith due to a tip from AOL and a collaborative effort involving the FBI, the New Jersey State Police, and others. They accused Smith of causing $80 million worth of damages by disrupting personal computers and computer networks in business and government.
On December 10, 1999, Smith pleaded guilty to a second-degree charge of computer theft and a federal charge of damaging a computer program due to releasing the virus.
On May 1, 2002, he was sentenced to 20 months in federal prison and fined USD $5,000. He faced a maximum term of 10 years and $150,000 in fines on the federal charges. The state charges were worse. They carried 40 years and $480,000 in fines maximum. U.S. prosecutors suggested two years because he cooperated with authorities and helped them find and prosecute other virus creators. His state sentence was commuted to match the federal sentence.
Smith kept a low profile after his release.
The authors of later viruses, like Code Red and Love Letter, did a better job of covering their tracks and often remained unidentified.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.
Oh, I remember it well. My employer had approved a new email system because we were in the process of adding PCs to what had been a Macintosh-only network. I had connected a full-time internet connection that supported our brand new Exchange server that could talk to both Mac and PC clients. I got word that a Microsoft-specific virus was spreading and disconnected the internet, putting the cable in a drawer in my desk (it was a lean shop at the time, I only had the network cables I needed). Fortunately, all of our in-bound internet email was processed on an outside server that translated the corporate email addresses we used to the old AOL accounts that each corporate office user had for corporate external email the Exchange server would eliminate. Ten minutes after I got the server disconnected I got through to our outside provider who had not been infected, and were in the process of building a filter that would eliminate any in-bound message with the payload. Three months later the company hired a consultant who used the existence of that Melissa virus to make me look bad. He removed the exchange server which had already paid for itself by reducing the AOL costs, replaced it with a very expensive Macintosh server, which failed in 15 month, and cost him his job because he hadn’t added it to the backup routine… Because he didn’t want to deal with backups, he’d never needed them.
What an unpleasant memory! I deny knowing anything about tape backups due to an unpleasant incident that happened in 2005. But my CISSP training says you need those.
?
The story of what happened in 2005? I don’t think I’m at liberty to tell that story but I can tell another one. On my first date with my now wife, I was late, AND we got interrupted by phone calls three times. There was a tape drive involved.
She must have seen the guy behind the geek. Congrats!