Melissa: A dance with the devil

The Melissa virus was a virus that was released around March 26, 1999. It targeted Microsoft Word and Outlook-based systems.

09-05-2022 - 4 minute read. Posted in: case.

Melissa: A dance with the devil

That was on 26 March 1999. People were still getting used to using email regularly, and Microsoft Outlook had only been around for a few years. A man named David L. Smith decided to take advantage of the confusion surrounding the Internet and e-mail when he created the first successful e-mail aware computer virus. The Melissa virus was one of the first types of malware to gain public attention because it ended up causing more than $80 million dollars in damage.

Allegedly named after a Florida stripper Smith knew, the Melissa virus ended up being a huge wakeup call for computer users of the time. They found out how many vulnerabilities could be in a computer and how they could be exploited.

How did it work?

The Melissa virus did not damage individual computers, according to a 1999 BBC news report. Instead, the virus spread via infected Word documents. Disguised as an important message from someone they knew, email users would receive messages like: "Here's the document you asked for ... don't show it to anyone else ;-)". Users would then open the attached document, usually called LIST.DOC, which contained a list of pornographic websites and associated login details for each. The malware then forwarded itself to the first 50 people in an infected user's Microsoft Outlook address book, further spreading the virus.

This meant that each infected computer had the ability to infect a further 50 computers. On top of this, many of the email addresses found on people's computers were actually groups of other email addresses, so it was often more than just one person who received an infected email.

Melissa had serious consequences for the companies and web servers that carried the large volumes of emails that were created. It successfully crippled hundreds of networks, including those of Microsoft and the United States Marine Corp. The New York Times reported in March 1999 that 250 organisations had called the Computer Emergency Response Team, a Pentagon-funded security service at Carnegie Mellon University. That meant at least 100,000 workplace computers were affected. It is not known exactly how many computers Melissa managed to infect, but the estimated number is around 1 million computers.

In 1999, Melissa was the fastest and most widespread computer virus in world history.

And what happened next?

Smith, Melissa's creator, was arrested at his brother's house after an investigation led by the FBI. They tracked him down electronically just a week after Melissa was released. Smith pleaded "not guilty" and said he had no idea the virus would inflict that kind of damage. He claimed it was originally intended as a harmless joke.

"When I released the virus, I expected that any financial damage would be small and incidental. In fact, I included features designed to prevent significant damage. I had no idea there would be such widespread consequences for others," he said in court, according to US news media ZDNet.

The then 34-year-old man served 20 months in prison and had to pay a $5,000 fine. The judge overseeing his case also asked Smith to stay away from computer networks and the Internet unless the court granted permission. He could have faced up to five years in prison, but prosecutors suggested a shorter sentence because Smith agreed to help authorities find and thwart other computer viruses.

Melissa's lasting impact

Melissa may seem like a simple virus now, but the attack foreshadowed many of the attacks to come in the 21st century.

Unfortunately, Melissa also inspired thousands of other malware attacks, including Anna Kournikova, ILOVEYOU/Love Bug, Netsky and Bagle.

Although Melissa was very devastating, the virus made computer users more aware of what could be hacked and forced both individual users and governments to take cyber threats and hacking much more seriously - which has benefited in the long run.

Author Sofie Meyer

About the author

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

Similar posts