The Melissa virus (also known as Mailissa or Simpsons) was a rapidly spreading mass-mailing macro virus released on March 26, 1999. It holds the distinction of being one of the first major email-borne viruses to gain global media attention, fundamentally changing how corporations and individuals approached email security.
Created by David L. Smith in Aberdeen Township, New Jersey, the virus targeted users of Microsoft Word and Microsoft Outlook. Disguised as a harmless email from a friend or colleague, the virus utilized social engineering to trick recipients into opening an infected Word document. Once triggered, the virus immediately replicated itself and sent copies to the first 50 contacts in the victim's address book. The sheer volume of emails generated by the Melissa virus forced major corporations, including Microsoft and Intel, to completely shut down their internet email gateways.
Origins and release
The virus was authored by David L. Smith, a 30-year-old programmer from New Jersey, who operated online under the alias Kwyjibo (a reference to an episode of the animated sitcom The Simpsons). Smith named the virus "Melissa" after a stripper he had allegedly met while visiting Miami, Florida.
On Friday, March 26, 1999, Smith distributed the virus by hijacking an America Online (AOL) account. He uploaded an infected Microsoft Word document titled list.doc to the alt.sex Usenet newsgroup. The file claimed to contain a list of passwords that would unlock dozens of adult websites. When unsuspecting users downloaded and opened the file, the Melissa virus was unleashed onto their systems and immediately began emailing itself to their contacts.
Architecture and propagation
Unlike the standalone executable viruses of the early 1990s, Melissa was a macro virus. It was written in Visual Basic for Applications (VBA), a scripting language built directly into the Microsoft Office suite.
Social engineering vector
Melissa was devastatingly effective because it preyed on trust. When the virus replicated, it generated an email that appeared to come from someone the victim knew. The email had the following characteristics:
- Subject: Important Message From [Name of infected user]
- Body: Here is that document you asked for ... don't show anyone else 😉
- Attachment: A Microsoft Word document (often named
list.docor whatever the infected user was working on at the time).
The macro payload
If a user opened the attached document in Microsoft Word 97 or Word 2000, the malicious macro executed instantly. First, it lowered the macro security settings in Word to prevent future warnings. Second, it modified the normal.dot template, meaning that any new Word document created by the user would also be infected.
Most importantly, the virus silently opened Microsoft Outlook. It read the first 50 email addresses from the user's address book and sent a copy of the infected document to all of them. The virus also contained a relatively harmless secondary payload: if the minute of the hour matched the day of the month (for example, at 3:15 PM on the 15th), the virus would insert the quote "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." (a Bart Simpson quote) into the text of the active document.
Global impact and fallout
The mathematical progression of Melissa was staggering. Because each infected computer sent out 50 new emails, the virus grew exponentially within hours. By Monday morning, corporate email servers around the world were overwhelmed by the sheer volume of traffic.
Major corporations, including Microsoft, Intel, and Lockheed Martin, were forced to completely shut down their incoming email gateways to stop the flood of messages. While Melissa did not destroy files or wipe hard drives like the CIH (Chernobyl) virus, the disruption to business communications and the massive loss of productivity caused widespread financial damage. Estimates of the total cleanup cost and lost productivity range from $80 million to over $1 billion.
Investigation and capture
The hunt for the creator of Melissa was remarkably swift, spearheaded by the FBI, the New Jersey State Police, and representatives from AOL. The investigation hinged on a critical piece of hidden forensic data generated by Microsoft Word itself.
Tracking the hidden GUID
A computer researcher named Richard Smith (unrelated to the virus author) from Phar Lap Software analyzed the infected list.doc file. He discovered that Microsoft Word automatically embedded a Globally Unique Identifier (GUID) into every document created. This GUID included the unique MAC address of the computer's network interface card.
Richard Smith found the MAC address inside the Melissa virus file and matched it to another macro virus called VicodinES, which the FBI already knew was authored by the user Kwyjibo. Furthermore, AOL was able to trace the IP address used to post the original file on Usenet. By combining the MAC address and the AOL billing records, authorities pinpointed David L. Smith's apartment in New Jersey. He was arrested on April 1, 1999—less than a week after the virus was released.
Trial and legacy
In December 1999, David L. Smith pleaded guilty to state and federal charges related to the creation and distribution of the Melissa virus. Facing a potentially lengthy prison term, Smith agreed to cooperate with federal and state authorities.
In May 2002, he was sentenced to 20 months in federal prison and fined $5,000. The relatively lenient sentence was largely due to his extensive cooperation with the FBI; Smith worked undercover to help investigators track down other high-profile malware authors, including the creator of the infamous Anna Kournikova virus.
The legacy of the Melissa virus is profound. It exposed the extreme vulnerability of highly integrated software environments (like Microsoft Office and Outlook) and served as a wake-up call to the general public. It forced the software industry to re-evaluate default security settings and taught a generation of computer users a critical lesson: never open unexpected email attachments, even if they appear to come from a friend.