The "Melissa Worm" through the eyes of the FBI

The “Melissa Worm” through the eyes of the FBI

A look back at the FBI investigative files on new millenium-era malware

Written by
Edited by Beryl Lipton

The year was 1999. Talk of the Y2K crisis was driving technological discussion throughout the United States, and fears that computers would suddenly stop working when clocks hit midnight of the year 2000 stoked fears of the technology we had all come to rely on so heavily. As companies began to consider what they needed to do to ensure continuity into the new millennium, a less abstract threat began to spread itself across the early Internet. It’s name was “Melissa”.

Materials released by the Federal Bureau of Investigation in response to a Freedom of Information Act request reveal a level of maturity in its investigation that they don’t consistently demonstrate in investigations of other crimes of similar nature. They also contain some entertaining stories provided by individuals who were investigated in pursuit of this worm, as well as the humanity—not always apparent in other contexts—of the FBI’s investigation.

On an FD-71 form, the FBI’s standard complaint form, dated March 29, 1999 at 6:00 p.m., the FBI described a telephone call from a man (identity withheld) with concerns that his AOL account had been hacked. The man claimed that he had been contacted by two reporters, one from Wired and another from the Seattle Times, who advised him the “Melissa” virus appeared to have originated from his AOL account. The man expressed concerns that his reputation could be damaged if his name became associated with the worm and pointed out that he wasn’t responsible for the release of the malicious code.

The next day, the FBI was on the case. In another FD-71 dated March 30, 1999 at 6:30 p.m., a woman (identified by the single letter ‘C’ in the document) who was apparently employed as a librarian, called the FBI to report two strange experiences she had in her library.

The first event happened on March 18, 1999. She had entered the library before it had officially opened for the day to find two men already inside the building. One was a former employee who she recognized, and this man identified his companion as a “hacker” who was “intelligent & into pornography”. C interrogated the men to find out how they were able to access her library, but the men were evasive and did eventually (albeit begrudgingly) leave the premises.

As if one incident of unauthorized library entry wasn’t enough, a second incident occurred the next week on March 25, 1999. The exact level of frustration C was experiencing at these many surprises isn’t noted in the FBI file, but, nonetheless, the confusion is evident. In the second incident, C observed another man, unknown to her, leaving the library before it was open to the public. When she asked this man how he got into the library, he advised her that a “red headed custodian” let him in. While she never did come to understand how these men gained entry to her locked library, she expressed concerns that it may have been connected to the Melissa Worm (they weren’t).

On April 1, 1999, the FBI dispatched an agent to Seattle, Washington to discuss the matter of the March 29 FBI call with the original complainant. In the detailed FD-302 provided by the FBI through a Freedom of Information Act request, the investigating agent noted the model of computer the man had:an AST Adventure with a Pentium 75 processor bought from CompUSA and similar to the model pictured below.

AST Adventure 400

The man also let the interviewing agent know that he used his personal AOL account for emails and web browsing, but he claimed that he never participated in Internet Relay Chat (IRC), nor did he use it to visit pornographic sites. The latter detail is important to the case of the Melissa investigation because investigators suspected a nexus to newsgroups where Melissa was supposedly spread originally.

It’s also noted that he regularly deletes junk mail, an indication that the investigating FBI agents had some understanding of reasonable questions to ask in an investigation of this kind. The investigating officer assessed that the man didn’t have the knowledge necessary to create anything like Melissa, only that he knew “the basics”.The man also believed that someone used his email address (without permission) to transmit the Melissa worm to his company.

As it turns out, the man ultimately found responsible for Melissa had been arrested by New Jersey state police the same day the FBI interviewed the undisclosed individual.

A programmer named David Lee Smith, the malware’s maker had named the program after a stripper he knew in Florida, and he would illicit clicks on the worm by naming the files things like “sexxxy.jpg” or “naked wife”. It was apparently a very successful campaign.

You can find a portion of the files—which are among my favorite releases ever received—below, find them all on the request page, and read for yourself the FBI’s documentation of another chapter in the history of law enforcement malware investigations.

Image of AST Adventure 400 via imgur

Header image by r. nial bradshaw licensed under CC BY 2.0