On first blush, Melissa looks benign. In your e-mail in-box you get an “important message” from a friend. Open it up and you read, “Here is that document you asked for… don’t show anyone else ; - ).” There is a Microsoft Word file icon. Click on it and you see a list of passwords for pornography sites on the World Wide Web. While you ponder that, Melissa is secretly exploiting a Word feature that works with another Microsoft program, Outlook, which handles e-mail: it grabs the first 50 names in your address book and mails them the virus. No wonder Melissa, born on Friday, March 26, was known as a digital Typhoid Mary before the weekend was out.
On Saturday, CERT reports, one 500-employee advertising firm got 32,000 messages in three quarters of an hour. The list of unexpected recipients of Melissa-mail included Boeing, Lockheed Martin and the U.S. Marines. CERT reported that at least 300 organizations and 100,000 machines were affected.
But even those hit hardest by the scourge suffered only some e-mail downtime as administrators scrubbed the systems. As Nachie Marquez, a manager for the city of Tempe, Ariz., learned, the worst aftereffect of getting ‘Lissaed was profound embarrassment as dozens of her correspondents received a Cliffs Notes of sex sites and a silicon social disease.
By midweek, several antivirus companies had fixes in wide distribution. Even without those aids, anyone could be inoculated by simply not opening the document or, better yet, turning off the function in Word that can automate e-mail. When the bits cleared, it looked as if Melissa had left the world ruffled but unharmed. The raft of copycat variations (the Papa virus, the Mad Cow virus) were also easily thwarted.
Not so the recriminations. Some people blamed Microsoft: if we weren’t slaves to Bill Gates’s applications, they griped, such attacks couldn’t proliferate. Microsoft’s John Dunkin, of course, disagrees. “Work and Outlook are popular products,” he says, “and so that is why they are targets.”
The bigger complaints were directed at the pesky, punky community that condones the spread of viruses–and “scripts” new ones. “I love it to write such code… to see them survive in the wild is kind of nice also!” writes “Spooky,” a 17-year-old scriptor and founder of the Codebreakers virus crew. Here’s where the story got really interesting. Not since the Internet Worm of 1988 has a virus writer been pursued with such fury. First in the game were the antivirus companies; one of them quickly traced the original seed to a message posted in the alt.sex Internet discussion group. It was posted by “SkyRoket,” an America Online account–without, it turned out, the knowledge of the account’s owner, Scott Steinmetz, a Lynwood, Wash., engineer, who was stunned to learn his AOL account had been taken for a joyride by a virus-planting pirate.
One of the canniest hunters was Richard Smith, head of Phar Lap Software. He had recently been in the news as the discoverer of a controversal Microsoft feature called a GUID: essentially a digital fingerprint assigned to every computer, embedded in all the work a machine produces. Smith got a copy of the Melissa code, found the GUID number and posted it on the Net. A Swedish researcher tipped him off to the work of “VicodinES.” The fingerprint on Vicodin’s work was a match for Melissa.
Smith also used another obscure Microsoft feature, the revision log, which can reveal the name of the person modifying a file. Along with some wacky monickers (“Dr. Diet Mountain Dew”) he found two authentic-sounding names, one of which was David L. Smith. On Monday he passed these to the FBI.
Later in the week the researcher, along with Rishi Khan, a 19-year-old University of Delaware undergrad, figured out that the Melissa author started off with Shiver, the handiwork of a scriptor known as ALT-F11 (proof that virus writers are weirdos: they name themselves after function keys). Melissa’s author started with Shiver’s list of porn sites, then replaced Shiver’s virus code with the newly written Melissa code. This process took less than three minutes. Then, using the SkyRoket AOL account, he placed the virus on the sex newsgroup and waited for the fun to begin. Interestingly, that same account was used to similarly plant Vicodin’s viruses in 1997.
Who is VicodinES? A trip through the creepy canyons of the Internet yields a portrait of a cheeky, profane reprobate. A possible aficionado of the narcotic painkiller that provided him an online handle. A fan of industrial music who lived in south Florida in the mid-’90s. A gentle teacher of eager young technovandals. Author of “Theory of Better File Virus Distribution,” sort of a self-help manual for better infection techniques.
A hacker named Guillermito, whose France-based Web site stored the manual, defended Vicodin to NEWSWEEK in an e-mail: “Of all the virus writers I know, Vic was maybe the most humane and mature. He’s not the classical teen, wannabe hacker, he’s a very curious and sensible guy, and he talked with me about the moral problems of creating viruses and infecting people. You have to mention the fact that none of his viruses was destructive. He never coded something to wipe out personal data.”
Law-enforcement officials didn’t make much use of Richard Smith’s information. Instead, they drew on a gift from America Online, whose tech team had been Melissa-hunting on its own. It apparently traced the invasion of the SkyRoket account to a New Jersey Internet provider. Early in the week an AOL emissary called the FBI and the Garden State attorney general’s office. The latter took over the case, perhaps because it is easier to prove state crimes than more stringent federal charges. Jersey cops painstakingly went through the provider’s customer accounts and found their man, David L. Smith (a process that might have gone more quickly had they known that the FBI had been given the name earlier). Authorities concluded that Smith had planted the virus from his second-floor apartment in a modest Aberdeen Township housing complex. A search warrant was executed around sundown on Thursday. According to an eyewitness, a dozen or so men entered the apartment with briefcases and cardboard boxes, lowered the blinds and went to work. Several hours later they left with their bulging briefcases and loaded boxes. At 9:10 p.m. they arrested David Smith at his brother’s house nearby. He went quietly.
At a press conference Friday, New Jersey authorities said that Smith, who had made bail, faced as much as 40 years in prison and a $480,000 fine. (A state spokesperson also said that the virus may have been named after a topless dancer Smith had fancied in Florida.)
They also denied that David Smith was VicodinES, a contention that Richard Smith disputed. To bolster his claim, he circulated the source code of a year-old document on Vicodin’s Web site, where the revision log indicates that the creator was David L. Smith. At the very least a connection exists, but the suspect wasn’t talking. A 30-year-old programmer for an AT&T contractor, he had moved back to his native New Jersey County after a bankruptcy in Florida, where, his lawyer said, he had racked up $24,000 in credit-card debt after losing a job at a computer firm. His Internet posts indicate that (like Vicodin) he’s interested in music and computer viruses. He seemed, neighbors said, “a normal guy.” “What I don’t understand is, if you’re that smart, why make a virus? Why not break into someone’s bank account?” said Edward Stawicki, whose place faces Smith’s. “At least that way he’d have some money.”
But that’s not the scriptor’s way. “The more interesting ones are like computer security researchers,” Guillermito writes. “On one side they want to help computer users, improving the security of computers by showing the weaknesses. But on the other side, they infect innocent people and make them lose time, sometimes lose data. A sort of paradox that is not easy to deal with.”
Unless you’re the cops. As David L. Smith may learn–and the virus community might well note–they have a solution ready at hand: You’ve got jail!
