Melissa (computer worm)
From Wikipedia, the free encyclopedia
The Melissa worm, also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus, hence leading some to classify it as a computer worm.
Contents |
[edit] History
First found on March 26, 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the worm.
Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.
Melissa was written by David L. Smith in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component. Smith was sentenced to 10 years but served only 20 months in a federal prison and fined $5,000 United States dollars. [1]
Fredrik Björck was instrumental in helping the FBI track down the author.[2]
[edit] Worm specifications
Melissa can spread on word processors Microsoft Word 97 and Word 2000. It can mass-mail itself from e-mail client Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95, nor can it mass-mail itself via any other e-mail client, even Outlook Express.
If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.
When the macro mass-mails, it collects the first 50 entries from the alias list or address book, and sends it to the e-mail addresses of those names.
[edit] Melissa.A/original version
This is what infected e-mails say:
From: <name of the infected sender> Subject: Important message from <name of sender> To: <The recipients, from the 50 names> Attachment: LIST.DOC Body: Here is that document you asked for ... don't show anyone else ;-)TCizzle
If the worm already has sent itself, or cannot spread that way for lack of an Internet connection or Outlook, it spreads to other Word documents on the computer. Other infected documents can also be mailed. If confidential data is inside the document, the recipient of the e-mail containing the document can view it.
The worm's activation routine inserts quotes from the animated television program The Simpsons into other documents when the minutes of the hour of the computer's clock match the day of the month (e.g., 7:09 on the 9th day of the month). Quotes include phrases like "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." The alias of the author, "Kwyjibo", is also a Simpsons reference.
[edit] Melissa.U
This variant also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes.
- C:\Command.com
- C:\IO.SYS
- C:\Ntdetect.com
- C:\Suhdlog.dat
- D:\Command.com
- D:\Io.sys
- D:\Suhdlog.dat
[edit] Melissa.V
This is another variant of the original Melissa macro virus, and is akin to Melissa.U. It uses Microsoft Outlook, and tries to send itself to the first 40 addresses in Outlook's address book. The subject line of the infected e-mail sent out is: "My Pictures (<Username>)", where <Username> is the name to whom the sender's copy of Microsoft Word is registered.
There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately. It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z:.
Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".
[edit] Melissa.W
This is the same as Melissa.A.
[edit] Melissa.AO
This is what the e-mails from this version contain:
Subject: Extremely URGENT: To All E-Mail User - <current date> Attachment: <Infected Active Document> Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.
Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month. The payload consists of the worm inserting the following string into the document: "Worm! Let's We Enjoy."
[edit] See also
- Timeline of notable computer viruses and worms
- List of computer viruses
- Morris worm
- SQL slammer worm
- Code Red worm
[edit] Notes and references
- ^ U.S. Department of Justice (2002-05-01). Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison. Press release. Retrieved on 2006-08-30.
- ^ Melissa creator may be uncovered, accessed October 21, 2006