Melissa (computer virus)
| Melissa | |
|---|---|
| Surname | Melissa |
| Aliases | Mailissa |
| Known since | 1999 |
| First location | United States |
| Virus type | Macro virus |
| Other classes | Email virus |
| Authors | David L. Smith |
| Host files | MS Word documents |
| Polymorph | No |
| Stealth | No |
| Memory resident | No |
| system | Microsoft Office |
| programming language | Visual Basic Macro |
Melissa is a macro virus and was the first known malware to use automated e-mail to spread. The virus gained worldwide fame when it overloaded countless IT systems in 1999 by sending massive amounts of e-mails.
Aliases
Allegedly, Melissa was called that by the author of the virus himself. The name is said to come from a stripper among his friends.
Melissa is also known as W97M.Mailissa.A or W97M.Melissa.A . The virus’s numerous derivatives have similar names.
Versions and derivatives
The code of the macro virus was changed several times and exposed again. Because of the simple programming language Visual Basic and the popularity of Melissa, this effect was obvious. There are at least 43 known derivatives of Melissa. Many of them were also equipped with a malicious payload. A Melissa variant, for example, copies quotes from the television series The Simpsons into existing Word files. However, it was no longer possible to achieve the same extent as the original version. About a year later, no new variations of Melissa were developed, presumably because more recent incidents, such as the VB script Loveletter , became more interesting.
Functions
Melissa does not have any malicious code as a payload and therefore did not cause any intentional data loss on affected systems. However, the avalanche-like distribution via e-mail resulted in numerous overloaded systems. The Melissa outbreak thus had the side effect of an aimless DoS attack . This led to isolated data losses and failures of web and, above all, mail servers . However, this did not cause any damage to the computers.
Duplication routine
An MS Office document served as the host file . When it was opened, the macro was activated . Since 1999 had not yet developed any protective functions worth mentioning and most users preferred automatic macros, this was easy to implement. The activation triggered the duplication. The virus sent further infected documents to the first 50 entries in the address book via Outlook , regardless of whether it concerned a person or a group. Melissa left an entry in the registry as a marker. If this marking was present, no more e-mails were sent when the macro was triggered a second time.
The emails had the subject Important Message From, xxx , where xxx stood for the sender. The content of the mail was Here's that document you asked for. Don't show anyone else;) .
A file named list.doc was added to the mail as an attachment. In addition to a number of links to porn sites, the file also contained the malicious macro.
Melissa could run under all Windows versions commonly used in 1999, provided the appropriate Office applications were installed.
The macro was programmed with Visual Basic .
Situation in 1999
The virus was released on March 26, 1999. The pyramid scheme that Melissa used to spread had an impact within a few hours. The macro sent countless emails which led to overloads. Many companies, including large IT groups such as IBM and Microsoft , had to shut down their networks temporarily.
An estimated 100,000 systems had to be shut down within three days because the effects of Melissa could not be brought under control
According to some sources, Melissa sent billions of emails. These are massive exaggerations. 50 mails were sent once per affected computer, so Melissa would have to be activated on 20 million computers in order to generate one billion mails. However, in Outlook you could not only create an entry for individual people, but also for groups. That increased the total amount of mails a little. According to more realistic estimates, the number of documents opened is more likely between 400,000 and 800,000 worldwide.
For the first time since the 1992 Michelangelo hysteria , a computer virus had become a media star. The CIH virus was certainly an issue in specialist journals, but the mainstream was not aware of it. Effects like Melissa's were a completely new phenomenon. Until now, malware has always spread slowly. The Internet slowly began to become a standard in 1999, favoring the spread of viruses and Trojans . This was practical but more important for careless users who use downloads from dubious sources. The path of infection via file sharing was not yet widespread in 1999.
There had never been such a spontaneous and explosive global wave of infections with a computer virus. In relation to viruses, there has never been such an extent again (as of 2020). Melissa has now been surpassed by other malware several times, but these were always worms and not classic viruses.
The damage caused was estimated by a US court to be around $ 80 million. That, too, corresponded to unprecedented dimensions. Individual sources on the Internet speak of damage amounting to an unrealistic $ 1.1 billion.
Europe was less affected than the US, as Melissa's effects started there during working hours. In Europe, the wave only started on Friday, which at least spared company computers for the time being. On the following Monday, most of them were already warned by the press reports.
Hardly any user was prepared for such an incident in 1999. At that time, distrust of email attachments was not a matter of course. In addition, the sender was a friend, so Melissa had the great advantage of social engineering components on his side. Malware as a global phenomenon was unknown. Because of such incidents, the major mail providers later set up protection systems that were able to detect such malware activities and then block the dispatch. In addition, since DSL became established, individual mail ports can also be blocked by the provider without any problems. So far, however, it has not been possible to effectively prevent the mass sending of emails by malware.
The author
The programmer, David L. Smith, was arrested five days later and found guilty in December 1999. On May 1, 2002, the sentence was announced, he was sentenced to 20 months in prison and a fine of $ 5,000, plus a further $ 2,500 fine in the first instance.
He could be convicted because he signed Melissa with the pseudonym Kwyjibo . By comparing Word documents with the same global identifier, it was found that Kwyjibo is identical to two other, already conspicuous macro authors. With this information it was possible to locate Smith, as he had left enough traces on the Internet under the names that had been known for some time.
The pseudonym Kwyjibo comes from the television series The Simpsons and appears in the episode Bart Becomes a Genius .
Virus or worm
Melissa is often referred to as a worm by the press and by the ignorant. The reason for this is that the virus spread rapidly over the Internet in a way that is otherwise only known from worms. However, lemon balm has similar capabilities to an email worm, but it is clearly not one. A worm is a stand-alone program, which Melissa does not. A virus spreads itself by nestling in files or system areas. Melissa fulfills this definition because the macro infects Word documents and uses them as the host file.
Individual evidence
- ↑ https://www.crn.com/news/security/18823668/virus-writers-senders-rarely-face-jail.htm CRN.com: Virus writers rarely face jail
- ↑ https://www.welivesecurity.com/deutsch/2018/11/13/malware-90er-michelangelo-melissa/ WeLiveSecurity.com: Malware of the 90s: Michelangelo and Melissa
- ↑ https://www.welivesecurity.com/deutsch/2018/11/13/malware-90er-michelangelo-melissa/ WeLiveSecurity.com: Malware of the 90s: Michelangelo and Melissa
- ↑ https://www.securityfocus.com/news/230 SecurityFocus.com: Justice delayed for Melissa author
- ↑ https://www.spiegel.de/netzwelt/web/viren-schoepfer-des-melissa-virus-muss-hinter-gitter-a-194464.html Spiegel: Creator of the Melissa Virus has to be behind bars
- ↑ https://www.manager-magazin.de/digitales/it/a-194784.html Manager Magazin: It could have been five years
- ↑ https://www.cbsnews.com/news/melissa-creator-gets-2nd-jail-term/ CBSNews.com: Melissa creator gets second jail term
- ↑ https://www.virenschutz.info/Melissa-Wurm-Grundwissen_Virenschutz+Tutorials-Tutorials_110.html Virenschutz.info: Melissa-Wurm
- ↑ https://www.pcgameshardware.de/Retrospektiven-Thema-214694/News/Der-Melissa-Wurm-ueberflutet-das-Netz-PCGH-Retro-26-Maerz-679834/ PCGamesHardware.de: The Melissa worm flooded the network
- ↑ https://www.giga.de/extra/malware/specials/was-ist-ein-computer-virus-vergleich-zum-wurm-trojaner-erklaert/ Giga.de: What is a computer virus - Difference to the worm
- ↑ https://www.kaspersky.de/resource-center/threats/viruses-worms Kaspersky: Computer viruses and computer worms
Web links
- Spiegel.de: Ten years of the Melissa computer worm by Annette Schneider , March 24, 2009
- FBI.gov: Melissa Virus - 20th Anniversary