Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Melissa Virus
MINH NGUYEN
UNIVERSITY OF MISSOURI - COLUMBIA
1
Contents
 1. Melissa and its outbreak…....……………………………………………..Slide 3.
 2. Examine the body of Melissa…………………………………………….....
1. Melissa virus and its outbreak
 A perfect example of the combination of booty and brain.
 Imagine that you mix a stri...
 The Melissa virus or W97M.Melissa.A, also known as W97M.Mailissa, Kwyjibo,
or Simpsons, is a macro virus. It was written...
Outbreak
 Melissa was put in the wild in around March 26, 1999. It started as an
infected file “list.doc” that was posted...
2. Examine the body of Melissa
 The subject of the email is "Important Message From <Username>“, where
“Username” is take...
7
Behaviors
 When an infected document is opened, Melissa checks if the Microsoft
Office registry entry "HKEY_CURRENT_USERS...
9
 In a small percentage of cases (when the day of the month equals the
minute value), the second payload of Melissa will i...
 The macro then infects the NORMAL.DOT template file. By default, all
Word documents utilize this template; thus, any oth...
12
3. How Melissa hides its activities
 Similar to most macro viruses, this virus tries to hide its activities by disabling
...
 To hide its infection activities, it also disables the following options in MS
Word 97:
· Prompt to save Normal template...
4. Dealing with Melissa
 Melissa is not too hard to detect for Anti-Virus (AV) corporations. However, its
propagation spe...
5. Trivia
 The file “list.doc” was uploaded using a stolen AOL account. Within a week of
the outbreak, with the help of A...
6. Appendix
 The full source code of Melissa virus can be found at:
http://www.cs.miami.edu/~burt/learning/Csc521.061/not...
7. References
 [1] phaneendra. Top 10 Worst PC Virus Outbreaks. List Crux.
 [2] Margaret Rouse. Melissa Virus. Tech Targ...
THANK YOU FOR
YOUR ATTENTION !!!
19
Upcoming SlideShare
Loading in …5
×

Melissa Virus

1,496 views

Published on

When I say examine further the body of Melissa, I mean... the virus, not the stripper. I don't have footage aboot her. ^^

Published in: Technology
  • Login to see the comments

Melissa Virus

  1. 1. Melissa Virus MINH NGUYEN UNIVERSITY OF MISSOURI - COLUMBIA 1
  2. 2. Contents  1. Melissa and its outbreak…....……………………………………………..Slide 3.  2. Examine the body of Melissa……………………………………………..Slide 6.  3. How Melissa hides its activities……………………………………………Slide 13.  4. Dealing with Melissa……………………………………………………......Slide 14.  5. Trivia……………………………………………………………………………Slide 15.  6. Appendix……………………………………………………………………..Slide 16.  7. References……………………………………………………………………Slide 17. 2
  3. 3. 1. Melissa virus and its outbreak  A perfect example of the combination of booty and brain.  Imagine that you mix a stripper with a hacker, then you will have the first successful email-aware macro virus that is considered as one of the most destructive of all time.[1] 3
  4. 4.  The Melissa virus or W97M.Melissa.A, also known as W97M.Mailissa, Kwyjibo, or Simpsons, is a macro virus. It was written in Visual Basic by David L. Smith a.k.a. Kwyjibo from New Jersey.[2][3]  It infects a Microsoft Word 97 or Word 2000 document by adding a new macro module named Melissa and spreads among Microsoft Outlook users.[4] The virus only works with Outlook, not Outlook Express.[2]  It has an “additional feature of being able to get around quickly”.[5] The virus was announced to have infected up to 20% of computers worldwide,[6] and the estimated damage was reported $1.1 billion.[7]  Smith wrote this just to impress the stripper he had met in Florida, her name is Melissa. However, he never thought it would cause such that havoc.[1] 4
  5. 5. Outbreak  Melissa was put in the wild in around March 26, 1999. It started as an infected file “list.doc” that was posted up on “alt.sex” newsgroup, claiming to be a list of usernames and passwords for 80 pornographic sites that require memberships.[2]  Once executed (when macros were enabled), the original version of Melissa opens Outlook and sends itself to the first 50 addresses in the address book. If Internet access or Outlook were not available, it would still infect other word documents.[8][7]  Actually, Melissa did not do too much damage to infected user’s PC. However, its mechanisms caused Denial of Service (DOS) attacks to organizations’ network system that relied on MS Outlook as their email client such as Microsoft, Intel, and many more.[8][6] Several major corporations had to shut down their mail servers as they became overloaded with messages created by the virus.[5] 5
  6. 6. 2. Examine the body of Melissa  The subject of the email is "Important Message From <Username>“, where “Username” is taken from MS Word setting. The body of the message is "Here is that document you asked for ... don't show anyone else ;-)". The attachment is usually “list.doc”.[2][4] 6
  7. 7. 7
  8. 8. Behaviors  When an infected document is opened, Melissa checks if the Microsoft Office registry entry "HKEY_CURRENT_USERSoftwareMicrosoftOffice" has a subdirectory named "Melissa?" exists with "... by Kwyjibo" set as its value. If the value was set, meaning this computer had been infected before, the virus would not do anything. If the value was not set, its primary payload would start the infection and then set the value.[4] 8
  9. 9. 9
  10. 10.  In a small percentage of cases (when the day of the month equals the minute value), the second payload of Melissa will insert the following sentence at the current cursor position:[2]  The quote is from Bart of “The Simpsons” cartoon show, who invents the word Kwyjibo to describe a North American ape or his father Homer in a Scrabble-playing episode.[5] 10
  11. 11.  The macro then infects the NORMAL.DOT template file. By default, all Word documents utilize this template; thus, any other opened Word document could be infected.[8]  If users send these infected documents to other people, they indirectly lend Melissa a hand in propagating it. 11
  12. 12. 12
  13. 13. 3. How Melissa hides its activities  Similar to most macro viruses, this virus tries to hide its activities by disabling the following menu items: + Tools-Macro in MS Word 97: By disabling this menu command, the virus prevents any user from listing the macro / VBA module in MS Word 97 to manually check for infection. + Macro-Security in MS Word 2000: By disabling this menu command, it prevents the user from changing the security level in MS Word 2000.[4] 13
  14. 14.  To hide its infection activities, it also disables the following options in MS Word 97: · Prompt to save Normal template · Confirm conversion at Open · Macro virus protection  With these options disabled, MS Word 97 does not warn or prompt while saving the NORMAL.DOT or while opening a document with macros in it.[4] 14
  15. 15. 4. Dealing with Melissa  Melissa is not too hard to detect for Anti-Virus (AV) corporations. However, its propagation speed was extremely quick, can be counted by hour. It had caused a huge havoc before AV corporations jumped in. In some cases, the infected files could not be restored to their original.[9]  Melissa causes changes in template file; therefore, AV software could use checksum method to detect it.[9] Microsoft also came up with a free tool to clean up an infected mail database.[10]  Melissa depends on user’s action to activate; thus, it could be avoided. There are several ways to deal with this bad girl such as: + Learn its signatures to avoid mis-opening the infected file. + Configuring mail system to filter out messages that may contain Melissa. + Disable macros. + Scan the whole system with up-to-date AV.[2][4][8] 15
  16. 16. 5. Trivia  The file “list.doc” was uploaded using a stolen AOL account. Within a week of the outbreak, with the help of AOL, Inc., New Jersey police and FBI agents tracked the original file through the hijacked AOL account to Smith.[11][2]  On December 10, 1999, Smith pleaded guilty. However, he agreed to cooperate with the FBI in capturing other virus creators. For his cooperation, he served only 20 months and paid a fine of $5000 of his 10-year sentence.[11]  Some notorious victims of this commitment were Jan de Wit a.k.a. OnTheFly (creator of Anna Kournikova virus and others, arrested in 2001) and Simon Vallor (creator of Gokar virus and others, arrested in 2002).[12]  In return for his services, the FBI paid for Smith's rent, insurance, and utilities, total over $12,000.[12] 16
  17. 17. 6. Appendix  The full source code of Melissa virus can be found at: http://www.cs.miami.edu/~burt/learning/Csc521.061/notes/melissa.txt University of Miami.[14] Note: You need to turn off your Anti-Virus in order to view this file. Don’t worry about the virus because it cannot infect the latest MS Word and Outlook.  A short video of how Melissa works can be found on YouTube at: https://www.youtube.com/watch?v=iBGIUd9niXc Uploaded by danooct1.[13] Subscribe his channel for more videos about viruses. 17
  18. 18. 7. References  [1] phaneendra. Top 10 Worst PC Virus Outbreaks. List Crux.  [2] Margaret Rouse. Melissa Virus. Tech Target.  [3] Kevin Poulsen. Justice Mysteriously Delayed for ‘Melissa’ Author. The Register.  [4] Raul K. Elnitiarta. W97M.Melissa.A. Symantec Corporation.  [5] Melissa Virus Goes Global. BBC News.  [6] Top Ten Most Destructive Computer Viruses of All Time. Crunkish.  [7] Craig Fosnock. Computer Worms: Past, Present, and Future. East Carolina University.  [8] Melissa Macro Virus. Carnegie Mellon University.  [9] Peter Szor. The Art of Computer Virus Research and Defense. Symantec Corporation.  [10] Virus: W32/Melissa. F-Secure Corporation.  [11] Azwan Jamaluddin. 10 Most Destructive Computer Viruses. Hongkiat.  [12] Court Documents Reveal That Melissa's Author Helped Authorities Catch Other Virus Writers. Sophos Ltd.  [13] Full Source Code of Melissa Virus. University of Miami. (Turn off Anti-Virus to view).  [14] danooct1, Virus.MSWord.Melissa. YouTube. 18
  19. 19. THANK YOU FOR YOUR ATTENTION !!! 19

×