FBI, experts search for elusive author of 'Melissa' virus

If you open the attachment, the virus sends the e-mail to the first 50 entries in your address book

March 30, 1999
Web posted at: 10:47 p.m. EST (0347 GMT)

WASHINGTON (CNN) -- Several mutations of the computer virus known as Melissa surfaced Tuesday, although experts said they were not as effective as the original in clogging e-mail systems.

The FBI has launched an investigation into the fast-spreading virus, which first appeared last Friday and spread rapidly around the world by Monday.

The agency estimated that the virus has affected "thousands of computer users" at more than 100 companies and government agencies.

"I urge e-mail users to exercise caution when reading their e-mail for the next few days and to bring unusual messages to the attention of their system administrator," said Michael A, Vatis, director of the FBI's National Infrastructure Protection Center (NIPC).

NIPC is a multiagency unit focusing on threats to the nation's infrastructure, including computers and telephone, electric and water systems.

The Melissa virus spreads via Microsoft's widely used Word 97 and Word 2000 documents which can be attached to e-mail messages.

The Melissa virus comes in the form of e-mail, usually containing the subject line "Important Message." It appears to be from a friend or colleague.

The body of the e-mail message says, "Here is that document you asked for ... don't show it to anyone else" with a winking smiley face formed by the punctuation marks ;-).

Attached to the message is a Microsoft's Word document file that lists Internet pornography sites. Once the user opens that file, the virus digs into the user's Microsoft's Outlook address book and sends infected documents to the first 50 addresses.

Computer sleuth tracks down virus source

As the virus swamped one computer system after another over the weekend, software developer Richard Smith followed a trail of electronic fingerprints left by Melissa.

"This electronic fingerprint is basically the serial number of your computer. So what I was curious about is whether it would be possible to use the serial number in the Melissa document ... to track down the author," said Smith, who runs Phar Lap Software, a small Cambridge, Massachusetts, software firm that makes operating systems and software tools.

Smith posted his "digital fingerprinting" theory on an Internet discussion group Friday. He received an e-mail from a college student in Sweden who pointed out similarities between Melissa and older viruses written by a computer user known as "VicodinES."

Smith was familiar with other work attributed to the notorious VicodinES, named after the painkiller drug Vicoden. The same user had posted so-called "virus creation tool kits" on the Web.

"In about 30 percent of those files, I found that same fingerprint number, the same serial number that was in the Melissa virus ... at a minimum, we know that the Melissa virus and these tool kits were created on the same computer," Smith said.

Threat remains

Smith said he turned his findings over to the FBI, who regard the transmission of the virus as a criminal matter.

But the biggest impact of the Melissa virus appeared to be the temporary shutdown of massive computer systems by cautious managers.

Computer giants Microsoft and Intel were among those who received copies of the tainted note, as did Lucent Technologies, the world's largest communications equipment maker.

And although anti-virus software programs have so far been successful in containing Melissa, experts fear its variants will be corrected and distributed by copycat virus writers.

Indeed, a potentially more damaging virus code-named "Papa" emerged on Monday. The new virus is a more elaborate program that uses the same e-mail system as Melissa.

Correspondent Marsha Walton, The Associated Press and Reuters contributed to this report.