Melissa creator may be uncovered
By Robert Lemos
March 29, 1999
ZDNN

Two software engineers have extracted information from the Melissa virus that appears to lead to an account on America Online Inc. and a Web site that, if matched with a person, could lead law enforcement officials to the author of the prolific virus.

The key is a controversial serial number, called the Global Unique Identifier or GUID, which is included in files created with Microsoft Corp.'s (Nasdaq:MSFT) Office, as well as some other applications, including Visual Basic. The serial number raised the concern of privacy advocates just a few weeks ago for its ability to be used to trace certain documents back to their creator.

That's exactly what two software engineers have done. Using the unique number, Richard M. Smith, president of software tools developer Phar Lap Software Inc., and Fredrik Bjorck, a Swedish PhD student at Stockholm University's Department of Computer and System Sciences, have tracked down the virus writer to at least one specific Web site.

"We can't be one hundred percent sure," said Smith. "There is a possibility that (the Web site author) was framed. There is a possibility of little green men coming from Mars, too."

In other words, the electronic "fingerprints" on the Melissa virus inserted in the Word macro and those on the documents posted on the Web site are the same. The electronic fingerprint, called the media access control (MAC) address, is a unique serial number for a PC's Ethernet card.

The Web site belongs to a malicious hacker, and a writer of virus tools, known by several handles, including VicodinES, Sky Roket, John Holmes, and Johnny "One Leg" Johnson, among others, according to Smith.

Posted on alt.sex
Sky Roket is the name of an America Online user, and is also the name on the original e-mail that posted Melissa to the alt.sex newsgroup. But Smith believes that Sky Roket is being used to camouflage the activities of VicodinES. America Online (NYSE:AOL) would not comment on whether that particular user was being investigated by the FBI. The FBI also declined to comment on any potential investigation.

However, whoever controls Sky Roket has a history of posting viruses. Under the same handle, at least three viruses were posted in late 1997 in exactly the same manner (1, 2, and 3). All were attributed to VicodinES's authorship.

According to Phar Lap's Smith, the MAC address derived from the Word document's GUID and the one derived from the documents on Web sites registered to VicodinES and Sky Roket match. The connection was first pointed out by Bjorck in Sweden.

ZDNN has independently confirmed that documents accompanying an Office 2000 macro virus on VicodinES's Web site, created by the person using the Vicodin handle, include the same electronic fingerprint as the Melissa virus. Another one of VicodinES's files is stored on Skyroket's personal site on AOL.

This could be a costly mistake for the writer. The FBI is looking to prosecute the writer with a fine of $350,000 and five to 10 years, according to statements made by Michael Vatis, director of the National Infrastructure Protection Center.

Company Finder:
Microsoft Corp.
America Online, Inc.
Phar Lap Software, Inc.

For magazine subscription savings, risk-free trial issues, newsletters, and more, click here!