Melissa Computer Virus

Melissa Virus: The Email Macro Virus That Brought Corporate Email to a Standstill

The Melissa virus, discovered in March 1999, was a macro virus that infected Microsoft Word documents and spread rapidly through email attachments, exploiting Microsoft Outlook. One of the first malware outbreaks to cause widespread disruption via social engineering and email propagation, Melissa overwhelmed email servers across corporations, governments, and individuals.

Introduction to the Melissa Virus

Created by David L. Smith and named after a Florida exotic dancer, Melissa was disguised as an innocent Word document attachment. It used enticing email subject lines and messages to trick recipients into opening the infected file. Once activated, Melissa sent copies of itself to the first 50 contacts in the victim's Outlook address book, causing a massive spike in email traffic that crashed or slowed email servers worldwide.

---

1. How the Melissa Virus Worked

Infection Mechanism:

• Melissa arrived via email with the subject line:
  “Important Message From [username]”
• The body of the email read:
  “Here is that document you asked for… don’t show anyone else ;-)”
• The attached file, often named "LIST.DOC", contained a malicious macro embedded in a Microsoft Word document.
• Once opened and macros were enabled, the virus infected the victim’s system and accessed their Outlook address book.

Propagation Process:

• Sent an infected email to the first 50 contacts in the user's Outlook address book, amplifying its spread exponentially.
• Infected Word documents on the local machine by adding the malicious macro to normal.dot, the default Word template, ensuring all new documents created were infected.
• Could trigger offensive messages or insert random quotes from The Simpsons into Word documents in certain circumstances.

---

2. History and Notable Campaigns

Origin and Discovery:

• Melissa was first detected on March 26, 1999.
• It spread rapidly within hours, initially through the alt.sex Usenet newsgroup, where the infected document was posted as a download.
• Within days, major corporations and government organizations experienced email system overloads.

Notable Impacts:

• Microsoft, Intel, and Lockheed Martin were among major organizations affected.
• The U.S. Marine Corps and FBI reported disruptions.
• Estimates suggest 60,000 to 80,000 infections occurred within days of Melissa's release.

---

3. Targets and Impact

Targeted Victims and Sectors:

• Primarily targeted Microsoft Word and Outlook users, both corporate and personal.
• Victims included large corporations, government agencies, and individual home users.

Consequences:

• Email servers became overloaded, unable to handle the sheer volume of automatically sent infected messages.
• Network slowdowns and server crashes resulted in productivity loss and service outages.
• Total damages were estimated to exceed $80 million, including cleanup costs and lost productivity.

---

4. Technical Details

Payload Capabilities:

• Macro Virus: Embedded malicious Visual Basic for Applications (VBA) code inside Word documents.
• Email Propagation: Used Microsoft Outlook to email itself to additional victims.
• Template Infection: Altered normal.dot, infecting all new documents.
• Could insert random text and references from The Simpsons into documents.

Requirements:

• Required users to open the infected document and have macros enabled in Word for the payload to activate.
• Targeted Microsoft Office 97 and 2000, with Outlook 97/98.

---

5. Preventing Melissa Infections

Best Practices (Then and Now):

• Disable macros by default in Microsoft Office applications.
• Don’t open unexpected email attachments, even from known contacts.
• Use antivirus software with up-to-date definitions to detect and block macro viruses.
• Implement email filters to block executable and potentially malicious attachments.

Recommended Security Tools:

• Antivirus software from Norton, McAfee, and Trend Micro were updated to detect and block Melissa shortly after its release.
• Microsoft released macro security updates for Office to restrict macro execution.

---

6. Detecting and Removing Melissa

Indicators of Compromise (IoCs):

• Unusual spikes in outgoing emails, especially those with identical subject lines and attachments.
• Presence of infected normal.dot templates in Word.
• Word documents containing AutoOpen macros with malicious VBA code.

Removal Steps:

1. Run a full system scan with updated antivirus software to detect and remove the virus.
2. Delete or restore a clean normal.dot template.
3. Review and delete any suspicious or infected emails from Outlook.
4. Apply macro security settings to prevent re-infection.

Professional Help:
Widespread infections in enterprise environments may require professional IT support to clean infected machines and restore normal email operations.

---

7. Response to a Melissa Attack

Immediate Steps:

• Disable email servers temporarily to prevent further spread.
• Notify users to avoid opening suspicious attachments.
• Implement network scanning to identify infected systems and isolate them.
• Patch and update Office and Outlook software to close security gaps.

---

8. Legal and Ethical Implications

Legal Considerations:

• Melissa's creator, David L. Smith, was arrested within days of the virus’s discovery.
• Smith was sentenced to 20 months in federal prison, fined $5,000, and served supervised release for his role in creating and distributing the virus.

Ethical Considerations:

• Melissa raised awareness of the ethics of responsible programming and the harm caused by malware, even when not explicitly destructive.

---

9. Resources and References

• FBI Case Summary on David L. Smith and the Melissa Virus
• F-Secure: Virus Encyclopedia Entry on Melissa
• Microsoft Security Intelligence: Virus W97M/Melissa.A
• Microsoft Office Macro Security Guidance
• United States General Accounting Office: The Melissa Computer Virus Demonstrates Urgent Need for Stronger Protection Over Systems and Sensitive Data (PDF)

---

10. FAQs about the Melissa Virus

Q: What was the Melissa virus?
Melissa was an email-borne macro virus that spread via infected Microsoft Word documents and propagated through Microsoft Outlook in 1999.

Q: How did Melissa spread?
It spread by sending infected emails to the first 50 contacts in the victim's Outlook address book once the infected Word document was opened.

Q: Is Melissa still a threat today?
No, Melissa is obsolete, but it led to major improvements in email and macro security. Its legacy persists in the lessons learned about email-borne threats.

---

11. Conclusion

The Melissa virus was one of the first malware outbreaks to demonstrate the power of social engineering and email propagation in spreading malicious code. It served as a wake-up call for the cybersecurity community, leading to improved security practices, especially around email handling and macro execution controls.

 

 

« Back to the Virus Information Library

« Back to the Security Center