Melissa
Melissa
Type Word macro virus
Creator "Kwyjibo" David L. Smith
Date Discovered 1999.03.26
Place of Origin Aberdeen, New Jersey USA
Source Language Visual Basic
Platform MS Word
File Type(s) .doc
Infection Length One macro module
Reported Costs $1.1 billion

Melissa is a macro virus that appeared in spring of 1999. The virus received a great deal of media attention and like Michelangelo caused little damage, although it was very widespread. Melissa began spreading exactly one month before CIH released its payload, causing hundreds of millions of dollars in damage in East Asia. It is one of the first viruses to achieve "rock star" status.

Behavior

Melissa arrives in an email, with the subject line "Important Message From <email address of the account from which the virus was sent>". The "sender" will be the actual email address that it came from. The body of the message is "Here is that document you asked for … don't show anyone else ;-)". The attachment is named list.doc and contains a list of 80 pornographic websites.

Melissadoc.png

When an infected document is opened, Melissa checks if the Microsoft Office registry key has a sub-directory named "Melissa?" exists with "… by Kwyjibo" set as its value. If the value has been set, the virus will not perform the mailing routine. If the value is not set, the virus mails itself to fifty addresses in the user's Address Book. Unless there are 50 addresses before "All", the virus may be sent to all addresses in the Address Book.

Melissa infects the Normal.dot template, which is used by default in all Word documents. This gives the virus the ability to infect and send other documents than just the porn site list, potentially leak sensitive information. Users can also unknowingly spread the virus when other documents become infected and they send them to another computer. If any document is opened or a new document is created, that document will be infected.

Melissa also has another payload that triggers itself once an hour and chooses the minute of the payload's delivery by the day (as an example, if the day is April 19, the payload will be delivered on the 19th minute of every hour that day). If an infected document is opened or closed at that minute, Melissa will insert this text into the document:

  Twenty-two points, plus triple-word-score,  
  plus fifty points for using all my letters.  
  Game's over. I'm outta here.

This is a reference to the Simpson's episode, "Bart the Genius".

Variants

As macro viruses are relatively easy to create, Melissa spawned several variants. Most are completely unremarkable, while others have a few interesting features.

Assilem

Assilem is an entire sub-family of Melissa that has most of the functionality if the original virus, with the exception of the mass-mailing capability. These can only infect other documents when they are executed on a clean computer. Assilem is Melissa backwards.

Melissa.W (AKA Prilissa)

The virus arrives as an email attachment. The email text says "This document is very Important and you've GOT to read this!!!"

When Prilissa activates, it displays the message: "Vine…Vide…Vice…Moslem Power Never End…Your Computer Have Just Been Terminated By -= CyberNET =- Virus!!" -". The user's documents will be covered in randomly colored squares. It then overwrites the AUTOEXEC.BAT file to format the hard drive.

This variant may take some code from an earlier macro virus called Pri and be a hybrid of Melissa and this macro.

Melissa.BG

This variant is also known as "Résumé". It is sometimes considered a separate family, Word97/Resume. It arrives in an email with the following characteristics:
Subject: Resume - Janet Simons

Body:

To: Director of Sales/Marketing

Attached is my resume with a list of references contained within. Please feel free to call or email
me if you have any further questions regarding my experience. I am looking forward to hearing from you.

Sincerely,

Janet Simons.

Attachment: Explorer.doc

It contains the text "Hope You Like My vIrUs" and "Better You Than Me Buddy" right before the viral code, but this will not be displayed in the document. When the document is closed, it saves itself as the following files:

  • C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc
  • C:\Data\Normal.dot

It also attempts to delete all files in the My Documents, Windows and System folder.

Effects

While the virus had no deliberately malicious payload, it did place a burden on email servers, making it a Denial of Service attack. Also the "damages" were mostly lost productivity due to companies closing down their servers. Many people in the IT industry said that the situation could have been much worse, as all the virus really did was email itself.

Kwyjibo said in court that he did not code the virus to deliberately cause any harm, believing any damage would be incidental and/or minimal. He claimed the virus was even designed to not cause damage to computers.

The virus is reported to caused $80 million of damage in North America alone and about $1.1 billion worldwide. Some estimates say at least 100,000 computers were infected and 300 organizations reported infections. Game publisher GT Interactive accidentally sent out the virus in a press release. The company said Melissa did not do them any damage, but did cause a great deal of embarrassment.

CERT claims that the Melissa was reported in countries as far away as Canada, the Netherlands, New Zealand, Qatar, Singapore, Sweden, and the United Kingdom. In addition, CERT claims that 233 organizations and 81,285 computers had Melissa infections and that one site reported receiving 32,000 copies of mail messages containing Melissa on its systems within 45 minutes.

In a situation similar to that of the Michelangelo hysteria, people began buying anti-virus software and scanning their computers, only to find much older viruses that did not receive as much media hype.

Origin

Melissa was coded and released by Kwyjibo (David L. Smith) who had also gone by the names VicodenES and Alt-F11 in Aberdeen, New Jersey, USA and posted to the newsgroup alt.sex using a cracked America Online account. It was named after a stripper Kwyjibo knew in Florida. The virus was for a short time believed to have originated in Europe.

Kwyjibo pleaded guilty on 1999.12.09 and was sentenced to 20 months in federal prison, three years of supervised release, a $5,000 fine and 100 hours of community service in 2002. The maximum sentence at the time was five years in prison and a $250,000 fine, but the judge took into consideration the fact that Kwyjibo cooperated with federal and state authorities. He also faced 10 years in prison and a $150,000 fine on one count of second degree computer-related theft. His total prison time could have added up to nearly 40 years.

In exchange for reducing his sentence to 20 months, Kwyjibo began working with the FBI to help the Bureau find virus and worm creators. He started working for them 18 hours a week, then later a full 40 hours, at which point the FBI began paying his rent, insurance and utilities, which totaled nearly $12,000. While working for the FBI, Kwyjibo was instrumental in the finding and capture of Jan de Wit, creator of Kournikova, and Simon Vallor, creator of Gokar.

Name

The virus was originally named Melissa by its creator. He named it after a stripper he knew in Florida. It goes against the policy of antivirus companies to give a virus the same name the author had intended. However, in this case, Jimmy Kuo of McAfee decided the name had already stuck to the virus, and that Melissa should be the official name.

Other Facts

The text of one of Melissa's payloads, as well as Kwyjibo's handle come from this scene the "Simpsons" episode, "Bart the Genius":

  • Bart (playing scrabble with the rest of the family): K-W-Y-J-I-B-O… Kwyjibo. 22 points… plus 50 points for using all my letters! Game's over. I'm outta here!
  • Homer: Wait a minute, you little cheater! You're not going anywhere until you tell me what a Kwyjibo is.
  • Bart (looking at Homer): Kwyjibo? Uh… a big, dumb, balding, North American ape with no chin.
  • Marge: And a short temper!
  • Homer (lunging for the boy): Why you little!!
  • Bart: Uh oh. Kwyjibo on the loose!

Sources

The Melissa Virus Website (Still in operation 13 years after the virus was released and 10 since Word macro viruses had gone out of vogue)

CERT. Advisory, "CA-1999-04 Melissa Macro Virus" 1999.03.27-31

Raul K. Elnitiarta. Symantec.com, W97M.Melissa.A

Richard Pethia (Testimony Before the Subcommittee on Technology, Committee on Science, U.S. House of Representatives). CERT, The Melissa Virus: Inoculating Our Information Technology from Emerging Threats 1999.04.15

Stephen Shankland. CNET News, "Feds Issue Warning as Email Virus Spreads". 1999.03.29

-. -, "Melissa Virus Originator Bewildered" 1999.03.30

Robert Lemos. ZDNet News, "What Will Happen in Melissa's Wake?". 1999.04.04

Craig Fosnock. East Carolina University, Computer Worms: Past, Present, and Future

Nerds 2.0.1, "A Virus Named Melissa". 1999.03.29

US Department of Justice Press Release, "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison". 2002.05.01

Raymond G. Kammer. US Department of Commerce, Before the House Science Subcommittee on Technology. 1999.04.15

Martha Mendoza. Associated Press, Melissa author helped FBI bust other virus writers. 2003.09.23

John Borland. CNET News, "Christmas Virus Could Format Hard Drives". 1999.11.19

Matthew W. Beale. E-Commerce Times "One Year Ago: Christmas Day Virus Warning Issued" 1999.11.22, 2000.11.20

Neil Sutton. itbusiness.ca, Memories of Melissa. 2005.03.29

EmailAbuse.org, "Prilissa".

PCHell, Killer Resume.

SoldierX, David Smith, Kwyjibo, VicodinES, Alt-F11

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License