Memories of the Melissa virus

Word icon
It all started with just one file being uploaded to the internet.

An infected Word document was posted to the usenet newsgroup on March 26 1999. Most people probably thought a Word .DOC file was harmless, even though simple macro viruses had been circulating since mid-1995, and were all too eager to open the file to look through the list of passwords for pornographic websites.

That was the trigger which lead to the Melissa virus spreading like wildfire around the world.

Because when you opened the Word document it forwarded itself to the first 50 people in your Microsoft Outlook address book.

Sign up to our free newsletter.
Security news, advice, and tips.

There were some other curiousities about Melissa which are sometimes forgotten. The virus occasionally corrupted documents by inserting the phrase ‘twenty-two, plus triple-word-score, plus fifty points for using all my letters. Game’s over. I’m outta here.’. This was a reference to an episode of “The Simpsons” cartoon show, where Bart is playing Homer at Scrabble and puts down the “word” KWIJYBO to represent a balding, North American ape.

Melissa was the first one of the first* successful email-aware viruses, forcing some large companies to shut down their email gateways because of the colossal amount of email the malware was generating.

Virus writers couldn’t fail to notice the impact that Melissa was having, and the virus cast a long shadow as it inspired thousands of other malware attacks such as Anna Kournikova, The Love Bug, Netsky, and Bagle in the years to come.

I hadn’t quite started working for Sophos at the time of the Melissa virus outbreak (I was in-between security companies, minding my garden) but I still remember how internet discussion groups like alt.comp.virus were dominated with discussion of this fast-spreading piece of malware, and how other hackers posted of their concern that Melissa’s author may have bitten off more than he could chew.

Discussion on alt.comp.virus

And, funnily enough, it was that initial posting to the internet newsgroup that was to help the authorities identify the mastermind behind the Melissa virus.

The Word document that had been uploaded to Usenet had come from the account of an AOL user, [email protected]. Police contacted AOL and quickly determined that the owner of the account had not been the person who had uploaded the file – instead his account had been compromised by an unknown hacker. Fortunately, AOL were able to provide information which pointed in the direction of a house in New Jersey.

Less than a week after the Melissa virus oubreak began, 30-year-old David L Smith was arrested at his brother’s house in Eatontown, New Jersey, and it was soon confirmed that Smith had released the virus (which he had named after a stripper he had known in Florida) from his apartment.

Collage of David L Smith, author of the Melissa virus

I remember at the time being surprised at how old Smith was. Most virus writers at the time were teenage boys, not emotionally mature enough to have grown out of writing viruses which were predominantly designed to show off rather than make money. Remember, at the time financially-motivated malware was extremely rare. Melissa was just written “for kicks” rather than to make money.

Without at least a financial motivation for his actions, it’s hard not to think of a thirty-year-old man hanging out on the internet with virus-writing buddies to be anything other than a bit sad.

But it seems Smith was smart enough to realise he should cooperate with the authorities to minimise any possible punishment. Within weeks of the FBI arresting him, he was using a fake identity to communicate with and track virus writers around the world.

According to court documents released some years later, Smith gave the FBI the name, home address, email address of Jan de Wit (also known as “OnTheFly”), the Netherlands-based author of the Anna Kournikova virus. The FBI passed the information on to authorities in the Europe, who arrested de Wit, who was later sentenced to 150 hours community service.

Furthermore, in 2001 David L Smith is claimed to have assisted in another investigation into a virus writer – having recorded online discussions with part-time DJ Simon Vallor, the author of three viruses. The FBI shared the information with British detectives, who arrested Vallor in February 2002. Vallor subsequently pleaded guilty and was sentenced to two years imprisonment.

In return for his services, the FBI paid for David L Smith’s rent, insurance and utilities, totalling over $12,000.

No doubt, Smith’s assistance to the FBI contributed to a tardiness in sentencing him. It wasn’t until 2002, over three years after the Melissa virus spread across the globe, that he finally received his punishment of a 20 month jail term.

The words I wrote at the time seem to me to be a fitting coda for the story of Melissa:

"The Melissa worm was a serious security breach, inconveniencing millions of computer users the world over - it's important that Smith has been dealt with in an appropriate manner by the US courts," said Graham Cluley, senior technology consultant at Sophos. "It's just a shame that the authorities couldn't have worked quicker to bring him to book. Smith has already been a dark inspiration to a whole generation of script kiddies - these copycat virus writers would have undoubtedly thought twice before distributing their malicious code if their hero was serving time."

I don’t know what happened to Smith after jail, but I hope he managed to rebuild his life. He may have written malware in a more innocent era than today, but there’s no doubt that his creation helped spawn the imagination of many other cybercriminals. In many ways, Melissa was the Grandmother of email-aware malware, which continued to plague companies and home users for years to come.

* Footnote: Thanks to colleague Paul Ducklin who correctly points out that Melissa wasn’t the first email-aware virus. For instance, Happy99, although not a mass-mailer since it only transmitted one email for each one you sent yourself sent predates Melissa by at least two months.

It’s quite neat to mention Happy99, as its author Spanska, is the fellow I quote above who hopes that Melissa’s creator will not be caught. Presumably reflecting his hope that he would continue to evade prosecution too!

But going even further back in time, the CHRISTMA EXEC worm which took out BITNET/EARNET (and could be argued to be even more “successful” than Melissa, in terms of the extent to which it affected the overall functionality of the internet) can probably be described as the first successful mass-mailing malware, back in 1987.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.