Melissa trail leads to 'ex' virus writer
By Luke Reiter and Jim Louderback
March 30, 1999
ZDTV

The systems administrator whose site houses a page that may belong to the creator of the Melissa virus told ZDTV that he has nothing to do with the virus, and that the potential creator "is in retirement."

'Last I heard, he'd gone into retirement' -- Roger Sibert

Roger Sibert, the systems administrator for Source of Kaos, a site frequented by virus enthusiasts, said that site log files showed that VicodinES had not been active on the site in the last 30 days. Code written by VicodinES has been linked to the Melissa virus, which has run wild on the Net since first appearing last Friday.

"Last I heard, he'd gone into retirement," Sibert told ZDTV Monday night. Sibert has not yet been contacted by the FBI, but said he would cooperate with them fully if they did get in touch.

"I'm not hiding anything," he said.

Sibert said he has had contact with VicodinES through e-mail and Internet Relay Chat forums and was impressed with his code writing skills. "He's probably talented enough to do it (the Melissa virus)," he said.

'Going into retirement'
Sibert said he last had contact with VicodinES between 8 months and 12 months ago, when VicodinES had requested that his page be made inactive, as he was going into retirement.

The Melissa Virus contains a unique number -- the Global Unique Identifier or GUID -- embedded in the header of the word file. That number points to the computer that actually created the Word document. ZDTV verified that that unique number is the same as one contained in a virus, called PSD2000.DOC, located on the site of a virus developer known as VicodinES.

However, the unique computer ID is stored in a Word document only once -- when the document is created. Even if a document is copied to a new computer, and saved under a new name, the original GUID number does not change.

As any programmer knows, it's a lot easier to create a new program by building on the work done by someone else. And VicodinES admits on his site that he built PSD2000.DOC based on a virus called Shiver. Shiver is the work of a virus developer calling himself ALT-F11.

ZDTV tracked down Shiver, and checked its GUID, which also matched the unique GUID embedded in Melissa. In addition, another virus created by ALT-F11 -- called 'Groovie2' -- also contains the same GUID as Shiver, Melissa and PSD2000. Since ALT-F11 claims to have written both Groovie and Shiver, it's likely that the GUID in all those viruses maps to his workstation.

A check of the other word macros created by VicodinES found that PSD2000.Doc was the only file with that GUID. All of the others, which VicodinES claims he created himself, had a different GUID.

Melissa related to Shiver?
What does all this mean? Whoever wrote Melissa built the virus around a Word file originally created on the same machine that Shiver was originally created on. Was this ALT-F11? Possibly, because Shiver and Melissa share the same GUID. However, since virus developers frequently build on the work of others, in the same way that VicodinES built on Shiver to create PSD2000.doc, VicodinES could have written Melissa, as well.

A third possibility exists, too. Another virus developer could have built Melissa out of the core of Shiver, or another out of another virus created on the same machine as the core of Shiver.

Finally, someone could have taken the PSD2000.doc file and enhanced it into Melissa. Because Vicodin appears to be the first person to have created a Word 2000 macro virus, it could be that the virus creator built Melissa out of Vicodin's PSD2000.doc virus.

Who is ALT-F11? Our information is spotty, but ALT-F11 is a part of the self-styled "Alternative Virus Mafia."

For magazine subscription savings, risk-free trial issues, newsletters, and more, click here!