Remember Melissa the malware stripper? She’s back

Graham Cluley
Graham Cluley
@[email protected]

You probably don’t need too great a memory to remember the Melissa virus.

It was one of the very first email-aware viruses, striking the internet hard in 1999 by forwarding itself in an infected Word document to the first 50 people in your Outlook address book.

It was the grandaddy of some of the big viruses that followed, paving the way for other significant email worms like the Love BugAnna Kournikova and MyDoom.

But what many people don’t remember is that David L Smith, the author of Melissa, named his virus after an exotic dancer he encountered in Miami, Florida.  And guess what? Melissa is back!

Sign up to our free newsletter.
Security news, advice, and tips.

No, not the Word macro virus Melissa – Melissa the striptease artiste. Or at least another malware-loving stripper going  by the same name.

The Troj/CAPTCHA-A Trojan horse poses as sexy game, offering increasingly saucy photographs of a blonde model called Melissa in exchange for the user correctly unscrambling an image. The obfuscated image is a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), used by websites to ensure that requests are being made by a human being and not a bot.

As you can see below, everytime a CAPTCHA is entered correctly Melissa donates another item of clothing to charity.

What players of the game may not realise is that they are actually helping cybercriminals do their dirty work for them.  By deciphering the text in exchange for Melissa the stripper exposing herself some more, you are helping the bad guys get around checks designed to prevent them from setting up Yahoo! accounts.

The CAPTCHA-A Trojan horse isn’t prevalent, but it proves that hackers are becoming more inventive in their attempts to exploit an all-too-easily tempted public.

By the way, David L Smith was eventually sentenced in 2002 after causing millions of dollars worth of damage. One wonders if he ever dreamt that Melissa the stripper would make another appearance in the world of malware.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.