Melissa virus

☆ Save On Wikipedia ↗
Melissa
Malware details
Technical name
TypeMacro virus
AuthorDavid L. Smith
Technical details
PlatformsWindows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP[2]

The Melissa virus was a mass-mailing macro virus released by David L. Smith on March 26, 1999. Distributed through an infected Microsoft Word document, it used Microsoft Outlook to send copies of itself to the first 50 entries in an infected user's address book. Because the messages appeared to come from known contacts, Melissa spread rapidly through corporate and government email systems.

Melissa did not ordinarily delete files, but the volume of email it generated overloaded mail servers, disrupted about one million email accounts and led some organizations to suspend email service. The Federal Bureau of Investigation (FBI) estimated that cleanup and repair costs reached $80 million and described Melissa as the fastest-spreading computer infection at the time. Smith was arrested less than a week after the virus release, pleaded guilty to state and federal computer offenses that December, and was sentenced in 2002 to 20 months in federal prison.

Release and initial spread

On March 26, 1999, David L. Smith used a stolen AOL account to post an infected Microsoft Word document to the Internet newsgroup alt.sex. The accompanying message claimed that the document contained passwords for adult-content websites.[3]

Opening the document activated the virus. On computers using Microsoft Outlook, it sent copies of itself to the first 50 entries in the user's address book.[3] The resulting email appeared to come from someone the recipient knew. Its subject line began "Important Message From", followed by the sender's name, and its body read, "Here is that document you asked for ... don't show anyone else ;-)". The attachment was named list.doc.[4] Each infected computer could repeat the process with up to 50 more recipients, allowing Melissa to spread rapidly.[3]

Operation

Melissa was a macro virus carried in a Microsoft Word document. When the attachment was opened in Word 97 or Word 2000, its macro code copied the infected document into Word's default template and lowered the program's macro-security settings. Documents subsequently opened or created in Word could then become infected.[5][3][4]

To distribute itself by email, Melissa used Microsoft Outlook to read the first 50 entries in the user's address book and send each one a copy of the infected document. The mass-mailing function operated only on computers that used Outlook for email.[5] Melissa did not ordinarily erase files, although sending an infected document without the user's knowledge could disclose information contained in it.[4]

If the minute shown by the computer's clock matched the day of the month, Melissa displayed the message "Twenty-two points, plus triple-word-score, plus 50 points for using all my letters. Game's over. I'm outta here." in Word. The line came from a Scrabble scene in The Simpsons.[6]

Outbreak and impact

Melissa spread rapidly after its release. By March 29, the Computer Emergency Response Team (CERT) at Carnegie Mellon University had received reports from 250 organizations and estimated that at least 100,000 workplace computers had been affected. CERT said that the actual number was probably higher.[7] The FBI later reported that email servers at more than 300 companies and government agencies had been overloaded and estimated that about one million email accounts were disrupted.[8]

The large volume of messages generated by infected computers interrupted email service at several organizations. Microsoft suspended outgoing email for about five hours, and Intel reported that it had been affected.[4] Lockheed Martin and Lucent Technologies were among the companies that closed their Internet gateways in response to the outbreak.[9] The United States Marine Corps was also affected.[10]

Although Melissa did not normally delete files, the disruption of email systems and the work required to clean infected computers produced substantial costs.[4][3] Its spread was largely contained within several days, although removing it from affected systems took longer. The FBI estimated the total cost of cleanup and repairs at $80 million and described Melissa as the fastest-spreading computer infection at the time.[8]

Investigation and prosecution

Software developer Richard Smith examined the infected Word document and found identifying information inserted by Microsoft Office, including an identifier linked to the computer on which the file had been created and names associated with earlier revisions. After a Swedish computer science graduate student directed him to files associated with the virus writer VicodinES, he found documents containing the same identifier and gave his findings to the Federal Bureau of Investigation (FBI).[7] The New Jersey State Police obtained Monmouth County Internet's records of who had been connected to a specified IP address on March 26, the day Melissa was posted. Although early reports examined a possible connection between David L. Smith and VicodinES, New Jersey officials said that Smith did not use that name.[11] Following a tip from AOL and a joint state and federal investigation, Smith was arrested at his brother's home in Eatontown, New Jersey, on April 1, 1999.[3]

On December 9, 1999, Smith pleaded guilty in New Jersey state court to second-degree computer-related theft and in federal court to knowingly spreading a computer virus with the intent to cause damage. He admitted creating and distributing Melissa and acknowledged that it had caused more than $80 million in damage. Smith said that he had expected any financial harm to be minor.[3][9] Smith's sentencing was postponed several times.[12] On May 1, 2002, he was sentenced to 20 months in federal prison, three years of supervised release, a $5,000 fine and 100 hours of community service. The court had calculated a sentencing range of 46 to 57 months but reduced the term after prosecutors cited Smith's cooperation in other investigations.[3]

See also

References

  1. "Virus:W32/Melissa Description | F-Secure Labs". www.f-secure.com. Archived from the original on March 10, 2026. Retrieved September 7, 2003.
  2. "W97M.Melissa.A - Technical Details". Symantec. Archived from the original on December 17, 2012. Retrieved February 9, 2013.
  3. "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison" (Press release). U.S. Department of Justice. May 1, 2002. Archived from the original on February 13, 2026. Retrieved August 30, 2006.
  4. "E-mail virus spreads". CNN Money. March 29, 1999. Archived from the original on February 7, 2002. Retrieved April 1, 2022.
  5. Gillis, Alexander S. (December 7, 2021). "What is the Melissa Virus?". SearchSecurity. TechTarget. Archived from the original on June 25, 2022. Retrieved April 6, 2022.
  6. "Melissa virus creator pleads guilty". BBC News. December 9, 1999. Archived from the original on March 17, 2019. Retrieved January 5, 2020.
  7. Markoff, John (March 30, 1999). "Digital Fingerprints Leave Clues to Creator of Internet Virus". The New York Times. ISSN 0362-4331. Archived from the original on February 14, 2011. Retrieved April 1, 2022.
  8. "Melissa Virus". Federal Bureau of Investigation. Retrieved April 1, 2022.
  9. Lemos, Robert (December 8, 1999). "Smith pleads guilty to Melissa virus". ZDNet. Archived from the original on January 23, 2025. Retrieved April 1, 2022.
  10. McNamara, Paul (March 25, 2014). "Melissa virus turning 15 ... (age of the stripper still unknown)". Network World. Archived from the original on June 25, 2026. Retrieved April 1, 2022.
  11. Reiter, Luke (April 1, 1999). "Tracking Melissa's alter egos". ZDNet. Archived from the original on March 3, 2026. Retrieved April 2, 2008.
  12. Poulsen, Kevin (August 1, 2001). "Justice mysteriously delayed for 'Melissa' author". The Register. Archived from the original on June 25, 2026. Retrieved January 13, 2012.