Main Page | See live article | Alphabetical index

Melissa worm

The Melissa Worm, also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a computer worm that also functions as a macro virus.

Table of contents
1 History
2 Worm Specifications
3 See Also
4 Sources/External Links

History

First found on March 26, 1999, Melissa came to be one of the most infamous computer worms the world has ever seen. It shut down Internet mail systems that became clogged with infected e-mails propagating the worm.

Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.

Melissa was written by David L. Smith in Eatontown, New Jersey, and named after a lap-dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.

Worm Specifications

Melissa can spread on word processor Microsoft Word 97 and Word 2000. It can mass mail itself from e-mail client (MUA) Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95. The worm cannot mass mail itself by any other mail client, even Outlook Express.

If a Word Document containing the virus, either LIST.DOC or another file infected, is downloaded and opened, then the macro in the document, which had the virus, runs and attempts to mass mail itself.

When the virus mass mails, it collects the first 50 entries from the alias list, or address book, and sends it to the e-mail addresses from those names.

Melissa.A/Original Version

This is what infected e-mails say:
From: 
Subject: Important message from 
To: 
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone else ;-)

If the worm already has sent itself, or cannot spread that way due to a lack of an
internet connection or a lack of Outlook, the worm spreads to other Word Documents on the computer. Other infected documents can also be mailed. If confidential data is inside the document, the recipient of the e-mail containing the document can view it.

The worm's activation routine inserts quotes from "The Simpsons" into other documents. If the minutes of the hour of the computer's clock match the day of the month (I.E. 7:09 on the 9th day of the 7th month). Quotes include phrases like "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." The alias of the author, "Kwyjibo", is also a Simpsons reference.

Melissa.I/Empirical

This variant can send using any of these subject line and body combinations, all of which are different from Melissa's original form.

1. Subject: Question for you...
Body: It's fairly complicated so I've attached it.

2. Subject: Check this!!
Body: This is some wicked stuff!

3. Subject: Cool Web Sites
Body: Check out the Attached Document for a list of some of the best Sites on the Web

4. Subject: 80mb Free Web Space!
Body: Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room.

5. Subject: Cheap Software
Body: The attached document contains a list of web sites where you can obtain Cheap Software

6. Subject: Cheap Hardware
Body: I've attached a list of web sites where you can obtain Cheap Hardware"

7. Subject: Free Music
Body: Here is a list of places where you can obtain Free Music.

8. Subject: * Free Downloads
Body: Here is a list of sites where you can obtain Free Downloads.

NOTE: The asterisk "*" in the 8th subject can be any random character that the worm specifies in the e-mail.

This version uses a different registry key, named "Empirical", to check if the worm had already mass mailed itself.

This version has another payload; if the number of minutes equals the number of hours, the worm will insert the phrase "All empires fall, you just have to know where to push." The virus then clears the flag that it had mass mailed itself from the registry. As soon as Word is restarted, a new document is created, a document is opened, or a document is closed, the worm will mass mail itself again.

Melissa.O

This version sends itself to 100 people in the alias list instead of 50. This is the e-mail message it sends:

Subject:Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.

Melissa.U

This version is like Melissa.A, but it has several notable differences. The module name it uses is named "Mmmmmmm". This version only sends itself to 4 recipients instead of 50. This is what the infected e-mail looks like:
Subject: Pictures (Username)
Body: what's up ?

The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.

The following strings can be placed in documents: "Loading... No", and ">>>>Please check Outlook Inbox Mail<<<<".

The virus also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes, which make them fair game for deletion.

Melissa.V

This variant is akin to Melissa.U. However, this variant sends itself to 40 different e-mail addresses in the address book. This is the subject line of the infected e-mail that it sends. There is no body.
Subject: My Pictures (Username)
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.

After this variant has mailed itself, it deletes all files from the root of the following drives: F, H, I, L-Q, S, X, and Z.

After that, the virus shows a message box. It has the text: "Hint: Get Norton 2000 not McAfee 4.02".

Melissa.W

This is the same as Melissa.A, except that it does not lower macro security settings in Word 2000.

Melissa.AO

This is what the e-mails from this version contain:

Subject: Extremely URGENT: To All E-Mail User -
Attachment: Infected Active Document
Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.

Melissa.AO's payload occurs on the 10am on the 10th day of each month. The payload consists of the worm inserts the following string into the document: "Worm! Let's We Enjoy."

See Also

Sources/External Links