Melissa virus turns 10
McAfee researcher talks with CNET News about the spread of Melissa 10 years ago, how the author was tracked down, and how it differs from the today's Conficker worm.
A correction was made to this story. Read below for details.
A decade ago there was no Facebook, no iPhone, and no Conficker. There was dial-up and AOL and a nasty virus called Melissa that ended up being the fastest spreading virus at the time.
CNET News talked to Dmitry Gryaznov, a senior research architect at McAfee Avert Labs who was among the researchers who worked to fight the Melissa outbreak and track down the creator.
Q: How was Melissa discovered?
Gryaznov: Avert as a whole discovered it as did some of the competitors. It was submitted to us by customers as it started to spread around the world (on March 26, 1999).
What made Melissa different from previous viruses?
Gryaznov: It was the first mass-mailing virus, which used e-mail to spread on a large scale.
What harm did the virus do?
Gryaznov: In some cases the load on the e-mail servers in some organizations was so high that the servers were effectively shut down.
How many computers were affected and what did the virus do?
Gryaznov: Hundreds of thousands of computers were affected. That's a guess...Melissa infected other documents a user opened in Microsoft Word. It also connected to Outlook if it was running and selected 50 entries in the address book and e-mailed an infected document to those addresses...including mailing lists...As a result, the virus was sent not just to 50 people, but to thousands of people easily. We didn't have any firm numbers to go by, but we did have reports from customers saying their Exchange servers were overwhelmed.
How long did the outbreak last?
Gryaznov: Several days, but the infections continued to be registered for a long time after that. It was just a macro virus and we were well equipped to provide detection and removal for people's computers even then...The fact that it was so widespread in the world already meant it took a long time to remove the infections.
How did the virus writer get caught?
Gryaznov: I was running, actually still am, a project called Usenet Virus Patrol, which scans Usenet articles for viruses. The author of Melissa posted the virus to a newsgroup called "alt.sex." It was zipped up and sent as if it was a list of passwords to like 80-something different porno sites...It was just bait to entice people into downloading it and opening it. Once it was opened, it started e-mailing itself around. It was relatively easy to go back and find the exact Usenet posting that started all this. In the header of the posting it was possible to find out not only the e-mail address from which it was sent but also the IP address of the computer from which it was sent. That IP was linked to an AOL account and from that the FBI subpoenaed AOL and they provided the dial-in logs...and found out what computer was assigned that IP address and from what telephone number the call was made. The AOL account was a compromised one...The phone call that used that account came from New Jersey and the FBI linked the phone number to a particular address. That is how they found the guy's computer...The data we provided them was the clue that led straight to the criminal. (David L. Smith pleaded guilty and was sentenced to 20 months in prison and $5,000 in fines.)
What was the motivation behind Melissa?
Gryaznov: There was no material gain. Back then, people didn't do it for money. They did it for mischief, for fame...Today there is huge money in computer crime...Back then, we had 200 times fewer pieces of malware than we have today.
Any comments on Conficker and Melissa and how far we've come?
Gryaznov: is a completely different type of thing. It's not a macro virus. It's an executable and a botnet, and it downloads lots of stuff on your computer. It's basically a network for sale. It can be rented out. It can be used for password stealing. Back in 1999 there wasn't such a thing as a business model for malware...Today, big money is involved in computer malware. You cannot even compare them.
Corrected March 31 with proper spelling of Gryaznov's name.