Melissa (computer worm)
Encyclopedia
The Melissa virus, also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus
. As it is not a standalone program, it is not a worm
.
mail systems that got clogged with infected e-mails propagating from the virus.
Melissa was not originally designed for harm, but it overloaded servers and caused problems.
Melissa was first distributed in the Usenet
discussion group alt.sex
. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The virus' original form was sent via e-mail to many people.
, and named after a Miami stripper that David had met. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier
(GUID), a serial number that was earlier generated with the network card
MAC address
as a component. Smith was sentenced to 10 years but served only 20 months in a federal prison
and fined $5,000 United States dollar
s. This arrest was a result of collaboration between the FBI, New Jersey State Police
and Monmouth Internet. Smith would later go on to help the FBI in tracking down Jan de Wit
, the Dutch
creator of the Anna Kournikova Computer virus
.
s Microsoft Word 97
and Word 2000
and also Microsoft Excel 97, 2000 and 2003. It can mass-mail itself from e-mail client
Microsoft Outlook
97 or Outlook 98.
If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.
When the macro mass-mails, it collects the first 50 entries from the alias list or address book and sends itself to the e-mail addresses in those entries.
) ", where is the name to whom the sender's copy of Microsoft Word is registered.
There is also a variant of the virus named Melissa.V/E which is known to seek and destroy Microsoft Excel documents, randomly deleting sets of data from files, or, at the worst, making them completely useless by applying a set of malicious Macro code. To simplify the code, the author has encrypted only a vectorial search pattern in it, so the virus can only delete linear sets of data, usually random rows or columns in a table. It also has a search parameter that makes it go only for unique sets of data, known to cause more damage.
A later edit of this variant makes backup copies of the destroyed files, and asks for a ransom of $100 to be transferred into an offshore account in return for the files. The account has been traced back to the owner. Due to a malfunction in code, in less than 1% of cases the code still makes copies.
This virus was rendered obsolete when it was discovered that it leaves visible traces in the Windows Registry
, providing enough data to ensure its destruction and the retrieval of stolen data.
A special version of this variant also modifies the backed-up data, fooling the user even more. It searches for numeric data inside the files, and then, with the help of a random number generator, slightly modifies the data, not visibly, but making it useless.
There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately. It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z:.
Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".
Subject: Extremely URGENT: To All E-Mail User -
Attachment:
Body: This announcement is for all E-MAIL user. Please take note
that our E-Mail Server will down and we recommended you to read
the document which attached with this E-Mail.
Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month.
The payload consists of the virus inserting the following string into the document: "Worm! Let's We Enjoy."
Macro virus (computing)
In computing terminology, a macro virus is a virus that is written in a macro language: that is to say, a language built into a software application such as a word processor...
. As it is not a standalone program, it is not a worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
.
History
First found on March 26, 1999, Melissa shut down InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
mail systems that got clogged with infected e-mails propagating from the virus.
Melissa was not originally designed for harm, but it overloaded servers and caused problems.
Melissa was first distributed in the Usenet
Usenet
Usenet is a worldwide distributed Internet discussion system. It developed from the general purpose UUCP architecture of the same name.Duke University graduate students Tom Truscott and Jim Ellis conceived the idea in 1979 and it was established in 1980...
discussion group alt.sex
Alt.sex
alt.sex is a Usenet newsgroup that was popular in the 1990s. An October 1993 survey by Brian Reid reported an estimated a worldwide readership of 3.3 millions for the newsgroup, that being 8% of the total Usenet readership, with 67% of all Usenet nodes carrying the group and traffic of 2,300...
. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The virus' original form was sent via e-mail to many people.
David L. Smith
Melissa was written by David L. Smith in Aberdeen Township, New JerseyAberdeen Township, New Jersey
Aberdeen Township is a Township in Monmouth County, New Jersey, United States. As of the 2010 United States Census, the township population was 18,210....
, and named after a Miami stripper that David had met. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier
Globally Unique Identifier
A globally unique identifier is a unique reference number used as an identifier in computer software. The term GUID also is used for Microsoft's implementation of the Universally unique identifier standard....
(GUID), a serial number that was earlier generated with the network card
Network card
A network interface controller is a computer hardware component that connects a computer to a computer network....
MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
as a component. Smith was sentenced to 10 years but served only 20 months in a federal prison
Federal prison
Federal prisons are run by national governments in countries where subdivisions of the country also operate prisons.In the United States federal prisons are operated by the Federal Bureau of Prisons. In Canada the Correctional Service of Canada operates federal prisons. Prison sentences in these...
and fined $5,000 United States dollar
United States dollar
The United States dollar , also referred to as the American dollar, is the official currency of the United States of America. It is divided into 100 smaller units called cents or pennies....
s. This arrest was a result of collaboration between the FBI, New Jersey State Police
New Jersey State Police
The New Jersey State Police is the state police force for the state of New Jersey. It is a general-powers police agency with state wide jurisdiction when requested by the Governor, designated by Troop Sectors.-History:...
and Monmouth Internet. Smith would later go on to help the FBI in tracking down Jan de Wit
Anna Kournikova (computer virus)
The Anna Kournikova computer virus was a computer virus authored by Dutch programmer Jan de Wit on February 11, 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of tennis player Anna Kournikova, while actually hiding a malicious program...
, the Dutch
Dutch people
The Dutch people are an ethnic group native to the Netherlands. They share a common culture and speak the Dutch language. Dutch people and their descendants are found in migrant communities worldwide, notably in Suriname, Chile, Brazil, Canada, Australia, South Africa, New Zealand, and the United...
creator of the Anna Kournikova Computer virus
Anna Kournikova (computer virus)
The Anna Kournikova computer virus was a computer virus authored by Dutch programmer Jan de Wit on February 11, 2001. It was designed to trick email users into opening a mail message purportedly containing a picture of tennis player Anna Kournikova, while actually hiding a malicious program...
.
Virus specifications
Melissa can spread on word processorWord processor
A word processor is a computer application used for the production of any sort of printable material....
s Microsoft Word 97
Microsoft Office 97
Microsoft Office 97 was a major milestone release of Microsoft Office, which included hundreds of new features and improvements, introduced "Command Bars", a paradigm in which menus and toolbars were made more similar in capability and visual design featured natural language systems and...
and Word 2000
Microsoft Office 2000
Microsoft Office 2000 is a release of Microsoft Office that succeeded Microsoft Office 97 and was designed as a fully 32-bit and Y2K compliant version to match Windows 2000 features. All the Office 2000 applications have OLE 2 capacity, which allows moving data automatically between various...
and also Microsoft Excel 97, 2000 and 2003. It can mass-mail itself from e-mail client
E-mail client
An email client, email reader, or more formally mail user agent , is a computer program used to manage a user's email.The term can refer to any system capable of accessing the user's email mailbox, regardless of it being a mail user agent, a relaying server, or a human typing on a terminal...
Microsoft Outlook
Microsoft Outlook
Microsoft Outlook is a personal information manager from Microsoft, available both as a separate application as well as a part of the Microsoft Office suite...
97 or Outlook 98.
If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.
When the macro mass-mails, it collects the first 50 entries from the alias list or address book and sends itself to the e-mail addresses in those entries.
Melissa.V
This is another variant of the original Melissa macro virus, and is akin to Melissa.U. It uses Microsoft Outlook, and tries to send itself to the first 40 addresses in Outlook's address book. The subject line of the infected e-mail sent out is: "My Pictures (There is also a variant of the virus named Melissa.V/E which is known to seek and destroy Microsoft Excel documents, randomly deleting sets of data from files, or, at the worst, making them completely useless by applying a set of malicious Macro code. To simplify the code, the author has encrypted only a vectorial search pattern in it, so the virus can only delete linear sets of data, usually random rows or columns in a table. It also has a search parameter that makes it go only for unique sets of data, known to cause more damage.
A later edit of this variant makes backup copies of the destroyed files, and asks for a ransom of $100 to be transferred into an offshore account in return for the files. The account has been traced back to the owner. Due to a malfunction in code, in less than 1% of cases the code still makes copies.
This virus was rendered obsolete when it was discovered that it leaves visible traces in the Windows Registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
, providing enough data to ensure its destruction and the retrieval of stolen data.
A special version of this variant also modifies the backed-up data, fooling the user even more. It searches for numeric data inside the files, and then, with the help of a random number generator, slightly modifies the data, not visibly, but making it useless.
There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately. It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z:.
Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".
Melissa.W
Melissa.W does not lower macro security settings in Word 2000. Otherwise it is functionally equal with Melissa.A.Melissa.AO
This is what the e-mails from this version contain:Subject: Extremely URGENT: To All E-Mail User -
Attachment:
Body: This announcement is for all E-MAIL user. Please take note
that our E-Mail Server will down and we recommended you to read
the document which attached with this E-Mail.
Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month.
The payload consists of the virus inserting the following string into the document: "Worm! Let's We Enjoy."
See also
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...
- List of computer viruses
- Morris worm
- SQL slammer worm
- Code Red worm