March 29, 2005 4:00 AM PST

Melissa's long gone, but lessons remain

Related Stories

Microsoft reward snags suspected Sasser author

May 8, 2004

Security a work in progress for Microsoft

January 15, 2004

A 20-year plague

November 25, 2003

Year of the Worm

March 15, 2001
It's been six years since the Melissa macro virus first got loose, but security experts say network administrators and PC owners still have lessons to learn from it.

The virus started spreading on March 26, 1999, and traveled quickly across the Internet, using the macro functions in Microsoft Word to burrow into the computers of victims who opened the document. Within three days, hundreds of thousands of PCs were infected.

"Melissa was the second successful e-mail worm, but it was the one that really caught attention," said Richard Smith, an Internet security and privacy consultant who discovered clues in Melissa that pointed to the author of the code. "It showed how e-mail could be used to quickly spread a virus across the Internet."

Written in the Microsoft Word macro language, the virus travels as an attachment in e-mail messages. When opened, Melissa infects the victim's computer and then sends copies of itself to the top 50 addresses in the Outlook address book.

Time line:
Melissa started spreading on Friday, March 26.

On Sunday, March 28, the FBI's National Infrastructure Protection Center warned of reports of significant network degradation in many corporate networks.

By Monday, three days after it began, the mass-mailing computer virus had reached 100,000 computers, according to Computer Emergency Response Team Coordination Center.

Subsequent investigation found that an America Online account had been used by David L. Smith, a New Jersey resident, to post the Melissa virus to several USENET news groups.

Smith pleaded guilty to creating and releasing the Melissa virus, and was sentenced to 20 months in prison. He was released in December 2004.

When the minute of the hour matches the day of the month (say 9:26 am on April 26), the Melissa virus inserts the following message into the an opened document: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."

The quote is from "The Simpsons."

Sources: CERT/CC, CNET coverage

While macro viruses pose little threat today, and most Internet users have gained a healthy distrust of the contents of their in-boxes, mass-mailing computer viruses remain among the top Internet dangers. Moreover, the social engineering technique that convinced people to open the malicious Melissa file has been honed into a more effective tool, forming the basis of the latest e-mail-borne attacks, such as phishing and spam.

Those elements are prompting antivirus researchers to look to past viruses, including Melissa, for clues about how the latest viruses could try to evade current defenses. One in every 40 e-mail messages daily carries a mass-mailing pest, according to mail service provider MessageLabs.

Melissa used now-common techniques to spread. An infected Windows system would send out e-mail messages to the first 50 entries in the computer's Microsoft Outlook address book. Each e-mail had the subject line "Important Message From" and the name of the owner of the affected PC. Because the e-mail messages were sent to known acquaintances, recipients were more likely to open them.

Attached to the e-mail was a Word document, originally titled "list.doc," that contained the Melissa virus and a list of pornographic Web sites. Under certain circumstances, the program could grab a different file from the victim's computer and insert the virus into that instead.

The rate at which Melissa proliferated serves as a lesson for researchers on how virus writers adapt to new methods of propagation, said Jimmy Kuo, a research fellow and antivirus investigator at McAfee, a security software maker. A previous virus, Happy99, had attempted to use e-mail to spread as well, but largely failed.

"We can look to Melissa for clues as to the significance of the Cabir virus for the cell phone, for example," Kuo said. "The Melissa virus showed virus writers that it was possible to spread a virus through e-mail quickly. The Cabir virus has done the same thing for phone viruses through Bluetooth."

The first mobile-phone virus to successfully spread from one handset to another--albeit only modestly--Cabir could be a blueprint for other virus writers. Cabir's major innovation, like Melissa, is its ability to spread using a new mechanism for viruses--the Bluetooth wireless technology.

Schooled in security
Melissa also had an impact on the learning curve at Microsoft. The use of its e-mail software as the means to spread the virus caused the Redmond, Wash.-based software giant to make major amendments to its applications in the name of security. The changes foreshadowed the more extensive Trustworthy Computing Initiative, which kicked off after the Code Red and Nimda worms ran rampant across the Internet.

"We look and try to learn from every one of these (incidents), and it is critical that we continue to do that, because it is going to be an ongoing effort," said Dan Leach, product manager in Microsoft's Office group.

In 2000, Microsoft launched an update to Outlook that limited the type of attachments that could be sent through the mail client, blocking the

Page 1 | 2

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.