Deadliest Computer Viruses Ever Known - 1

Melissa Virus

Origin

On 26 March last year as a few half-hearted flurries of snow danced across the unlovely suburban landscape of northern New Jersey,David Smith drew the curtains of the small garden apartment he shared with two cats called Rockabilly and Eggnog. It was late on a Friday afternoon. Soon the nation's offices and factories, its government departments and much of its civil infrastructure would be closing for the weekend. The timing was critical for Smith's purposes.

At 30, single and employed on an irregular basis as a computer programmer, Smith met most definitions of a nobody. Admittedly, he dressed smartly and kept in shape, but his outward personability was more than negated by what one of his friends called 'the personality of bread mould'. His love life, as far as anyone knew had been fairly unremarkable. There was only one girl, somewhere in the past - a willowy blonde whom he seemed to have genuinely fallen for. Her name was Melissa.

Smith settled down in front of a personal computer. It was one of several that he owned. Later, when things became hot, he would have to smash it up with a garden spade, and throw the pieces into a rubbish skip. But this afternoon, as the big East Coast cities of New York, Boston and Washington began to empty, his fingers moved smoothly over the keyboard.

He entered cyber-space using a stolen access authorisation that had been issued by America Online, the giant internet provider, to a customer in Florida called Scott Steinmetz. This allowed Smith to use Steinmetz's e-mail address, slrvrocket@aol.com, which he proceeded to do, to devastating effect.

A few clicks of the mouse took Smith to an internet chatroom - an electronic forum where subscribers can exchange messages on a topic of mutual interest. The chat-room he chose was called alt.sex, one of many sites devoted to the appreciation of pornography. There, Smith posted the deadliest computer virus the world has ever known.

It couldn't have been more than a few minutes before someone, somewhere out in the vastness of the internet, visited alt.sex, saw Smith's message - which purported to contain free access codes to other internet porn sites and opened it. And with that single click, the virus was free to fulfill its purpose - to spread, multiply and contaminate.

Later, investigators would decipher its name from the computer code that Smith had written. He had called the virus Melissa.Except that the chaos that followed would far exceed Smith's wildest imaginings. Within 24 hours, the computer systems of some of the biggest corporations on earth would be paralysed; Nato and the Pentagon would move on to a heightened security alert in the belief that cyber-terrorists were launching a global attack; and millions of computer users around the world would wake up to find their machines had been 'Melissa'd'. And in the days that followed, the biggest, most desperate manhunt in the history of computer crime would lead investigators, step by step, through a strange, barely charted electronic universe to the faded grey front door of David Smith's home in New Jersey.

Early next month Smith, who admits planting the virus, will be sentenced at the New Jersey Superior Court on charges of interfering with public communications. He faces up to 45 years in jail, and could, in theory, be fined $900 million - a sum approximately twice the value of the damage he is estimated to have caused. His case has been followed obsessively by internet aficionados, and studied by almost everyone with an interest in the security of computer systems. Yet a year after Smith's assault, the big questions remain unanswered: who is he? Why did he do it? And where is Melissa?

How it works

The Melissa macro virus propagates in the form of an email message containing an infected Word document as an attachment. The transport message has most frequently been reported to contain the following Subject header

Subject: Important Message From Where is the full name of the user sending the message. The body of the message is a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contains the following text. Here is that document you asked for ... don't show anyone else ;-) The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contains references to pornographic web sites. As this macro virus spreads we are likely to see documents with other names. In fact, under certain conditions the virus may generate attachments with documents created by the victim. When a user opens an infected .doc file with Microsoft Word97 or Word2000, the macro virus is immediately executed if macros are enabled. Upon execution, the virus first lowers the macro security settings to permit all macros to run when documents are opened in the future. Therefore, the user will not be notified when the virus is executed in the future. The macro then checks to see if the registry key "HKEY_Current_User\Software\Microsoft\Office\Melissa?" has a value of "... by Kwyjibo". If that registry key does not exist or does not have a value of "... by Kwyjibo", the virus proceeds to propagate itself by sending an email message in the format described above to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro. Keep in mind that if any of these email addresses are mailing lists, the message will be delivered to everyone on the mailing lists. In order to successfully propagate, the affected machine must have Microsoft Outlook installed; however, Outlook does not need to be the mailer used to read the message. This virus can not send mail on systems running MacOS; however, the virus can be stored on MacOS. Next, the macro virus sets the value of the registry key to "... by Kwyjibo". Setting this registry key causes the virus to only propagate once per session. If the registry key does not persist through sessions, the virus will propagate as described above once per every session when a user opens an infected document. If the registry key persists through sessions, the virus will no longer attempt to propagate even if the affected user opens an infected document. The macro then infects the Normal.dot template file. By default, all Word documents utilize the Normal.dot template; thus, any newly created Word document will be infected. Because unpatched versions of Word97 may trust macros in templates the virus may execute without warning. Finally, if the minute of the hour matches the day of the month at this point, the macro inserts into the current document the message "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Note that if you open an infected document with macros disabled and look at the list of macros in this document, neither Word97 nor Word2000 list the macro. The code is actually VBA (Visual Basic for Applications) code associated with the "document.open" method. You can see the code by going into the Visual Basic editor

Impact Users who open an infected document in Word97 or Word2000 with macros enabled will infect the Normal.dot template causing any documents referencing this template to be infected with this macro virus. If the infected document is opened by another user, the document, including the macro virus, will propagate. Note that this could cause the user's document to be propagated instead of the original document, and thereby leak sensitive information. Indirectly, this virus could cause a denial of service on mail servers. Many large sites have reported performance problems with their mail servers as a result of the propagation of this virus.