|Type||Word macro virus|
|Place of Origin||Aberdeen, New Jersey USA|
|Source Language||Visual Basic|
|Platform||MS Word on MS Windows|
|Infection Length||One Macro Module|
|Reported Costs||$1.1 billion|
Melissa is a macro virus that appeared in spring of 1999. The virus received a great deal of media attention and like Michelangelo caused little damage, although it was very widespread. Melissa began spreading exactly one month before CIH released its payload, causing hundreds of millions of dollars in damage in East Asia. It is one of the first viruses to achieve "rock star" status.
Melissa arrives in an email, with the subject line "Important Message From <email address of the account from which the virus was sent>". The "sender" will be the actual email address that it came from. The body of the message is "Here is that document you asked for ... don't show anyone else ;-)". The attachment is named list.doc and contains a list of 80 pornographic websites.
When an infected document is opened, Melissa checks if the Microsoft Office registry key has a sub-directory named "Melissa?" with "... by Kwyjibo" set as its value. If the value has been set, the virus will not perform the mailing routine. If the value is not set, the virus mails itself to fifty addresses in the user's Address Book. Unless there are 50 addresses before "All", the virus may be sent to all addresses in the Address Book.
Melissa infects the Normal.dot template, which is used by default in all Word documents. This gives the virus the ability to infect and send other documents than just the porn site list, potentially leak sensitive information. Users can also unknowingly spread the virus when other documents become infected and they send them to another computer. If any document is opened or a new document is created, that document will be infected.
Melissa also has another payload that triggers itself once an hour and chooses the minute of the payload's delivery by the day (as an example, if the day is April 19, the payload will be delivered on the 19th minute of every hour that day). If an infected document is opened or closed at that minute, Melissa will insert this text into the document
Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
This is a reference to the Simpson's episode, "Bart the Genius".
Assilem is an entire sub-family of Melissa that has most of the functionality if the original virus, with the exception of the mass-mailing capability. These can only infect other documents when they are executed on a clean computer.
The virus arrives as an email attachment. The email text says "This document is very Important and you've GOT to read this!!!"
When Prilissa activates, it displays the message: "Vine...Vide...Vice...Moslem Power Never End...Your Computer Have Just Been Terminated By -= CyberNET =- Virus!!" -". The user's documents will be covered in randomly colored squares. It then overwrites the AUTOEXEC.BAT file to format the hard drive.
This variant may take some code from an earlier macro virus called Pri and be a hybrid of Melissa and this macro.
Melissa.BG (Also "Resume")Edit
This variant is sometimes considered a separate family, Word97/Resume. It arrives in an email with the following characteristics:
Subject: Resume - Janet Simons
Body: To: Director of Sales/Marketing zzz
Attached is my resume with a list of references contained within. Please feel free to call or email me if you have any further questions regarding my experience. I am looking forward to hearing from you.
Janet Simons. Attachment: Explorer.doc
It contains the text "Hope You Like My vIrUs" and "Better You Than Me Buddy" right before the viral code, but this will not be displayed in the document. When the document is closed, it saves itself as the following files:
C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc C:\Data\Normal.dot
While the virus had no deliberately malicious payload, it did place a burden on email servers, making it a Denial of Service attack. Also the "damages" were mostly lost productivity due to companies closing down their servers. Many people in the IT industry said that the situation could have been much worse, as all the virus really did was email itself.
Kwyjibo said in court that he did not code the virus to deliberately cause any harm, believing any damage would be incidental and/or minimal. He claimed the virus was even designed to not cause damage to computers.
The virus is reported to caused $80 million of damage in North America alone and about $1.1 billion worldwide. Some estimates say at least 100,000 computers were infected and 300 organizations reported infections. Game publisher GT Interactive accidentally sent out the virus in a press release. The company said Melissa did not do them any damage, but did cause a great deal of embarrassment.
CERT claims that the Melissa was reported in countries as far away as Canada, the Netherlands, New Zealand, Qatar, Singapore, Sweden, and the United Kingdom. In addition, CERT claims that 233 organizations and 81,285 computers had Melissa infections and that one site reported receiving 32,000 copies of mail messages containing Melissa on its systems within 45 minutes.
In a situation similar to that of the Michelangelo hysteria, people began buying anti-virus software and scanning their computers, only to find much older viruses that did not receive as much media hype.
Melissa was coded and released by Kwyjibo (David L. Smith) in Aberdeen, New Jersey, USA and posted to the newsgroup alt.sex using a cracked America Online account. It was named after a stripper from Pennsylvania who later moved to Miami Florida. They socialized over both being from the north. The virus was for a short time believed to have originated in Europe.
Kwyjibo pleaded guilty on 1999.12.09 and was sentenced to 20 months in federal prison, three years of supervised release, a $5,000 fine and 100 hours of community service in 2002. The maximum sentence at the time was five years in prison and a $250,000 fine, but the judge took into consideration the fact that Kwyjibo cooperated with federal and state authorities. He also faced 10 years in prison and a $150,000 fine on one count of second degree computer-related theft. His total prison time could have added up to nearly 40 years.
In exchange for reducing his sentence to 20 months, Kwyjibo began working with the FBI to help the Bureau find virus and worm creators. He started working for them 18 hours a week, then later a full 40 hours, at which point the FBI began paying his rent, insurance and utilities, which totaled nearly $12,000. While working for the FBI, Kwyjibo was instrumental in the finding and capture of Jan de Wit, creator of OnTheFly, and Simon Vallor, creator of Gokar.
The virus was originally named Melissa by its creator. He named it after a stripper he knew in Florida. It goes against the policy of antivirus companies to give a virus the same name the author had intended. However, in this case, Jimmy Kuo of McAfee decided the name had already stuck to the virus, and that Melissa should be the official name.
The text of one of Melissa's payloads, as well as Kwyjibo's handle come from this scene the "Simpsons" episode, "Bart the Genius":
Bart (playing scrabble with the rest of the family): K-W-Y-J-I-B-O... Kwyjibo. 22 points... plus 50 points for using all my letters! Game's over. I'm outta here! Homer: Wait a minute, you little cheater! You're not going anywhere until you tell me what a Kwyjibo is. Bart (looking at Homer): Kwyjibo? Uh... a big, dumb, balding, North American ape with no chin. Marge: And a short temper! Homer (lunging for the boy): Why you little!! Bart: Uh oh. Kwyjibo on the loose!
CERT. Advisory, "CA-1999-04 Melissa Macro Virus" 1999.03.27-31
Raul K. Elnitiarta. Symantec.com, W97M.Melissa.A
Richard Pethia (Testimony Before the Subcommittee on Technology, Committee on Science, U.S. House of Representatives). CERT, The Melissa Virus: Inoculating Our Information Technology from Emerging Threats 1999.04.15
Stephen Shankland. CNET News, "Feds Issue Warning as Email Virus Spreads". 1999.03.29
-. -, "Melissa Virus Originator Bewildered" 1999.03.30
Robert Lemos. ZDNet News, "What Will Happen in Melissa's Wake?". 1999.04.04
Craig Fosnock. East Carolina University, Computer Worms: Past, Present, and Future
Nerds 2.0.1, "A Virus Named Melissa". 1999.03.29
US Department of Justice Press Release, "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison". 2002.05.01
Raymond G. Kammer. US Department of Commerce, Before the House Science Subcommittee on Technology. 1999.04.15
Martha Mendoza. Associated Press, Hacker goes undercover for the FBI. 2003.09.23
John Borland. CNET News, "Christmas Virus Could Format Hard Drives". 1999.11.19
Matthew W. Beale. E-Commerce Times "One Year Ago: Christmas Day Virus Warning Issued" 1999.11.22, 2000.11.20
Neil Sutton. itbusiness.ca, Memories of Melissa. 2005.03.29
Norman Antivirus, W97M/Resume.A@mm. 2000.05.27