Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Catching the author of Melissa.
[April 1999]

[See also: Special case: Melissa]

The Melissa computer virus was dropped into the alt.sex newsgroup early in the morning on March 26. It spread faster than any previous virus, fortunately causing no permanent damage, but temporarily shutting down many companies' email servers. Almost a week later authorities, with the help of AOL, traced the dropping of the virus to David L. Smith's phone line. His arrest came minutes after another man -- a software company president by day, cybersleuth by night, named Richard M. Smith (no relation) -- had tracked down David L. Smith using the Internet. Here, this digital-age Philip Marlowe tells his hard-boiled story.

It was a Friday, about six o'clock in the evening, late March, darkness falling. Brittle, brown twigs with neat, green buds giving it another go, swayed in the cold, hard wind in front of my third-floor window. In a few months the leaves would obscure my view of Boston, the city my mail told me I lived in. Cars hummed in the distance, driven, no doubt, by lonely drivers with flasks pursed to their lips on their way to happy hours in search of women and a warm place to sleep for the night. It was a raw deal, but at least they were offline. Wearing blue Dockers, a checked-blue Gap shirt and thin, wool, Brooks Brothers socks, I carried a clean IBM Thinkpad with a blue-tinted screen. I was everything a private cybersleuth ought to be. I should have been with the wife at some high school play, one of those Our Town jobs slapped together by a teacher who still cared. Instead, I was knee-deep in the alt.comp.virus newsgroup. In it were hackers, anti-virus patrolmen, virtual private eyes sniffing around for a job and teen geeks with brains almost as big as their zits, but no more common sense than a wet puppy. It was the kind of joint where you couldn't always separate the bad guys from the good. J. Merritt's email stood out like a ham and cheese sandwich at a Passover seder.

Subject: Melissa virus

From: J. Merritt

To: alt.virus.com

We were just bombed with the email virus Melissa today. Says "Here's that document you asked for... don't show anyone else ;)." You open her attached word document "list.doc," and she replicates herself to the first 50 people in your address book using Microsoft Outlook. As far as I can tell, she's solely located on the IU campuses in Bloomington and Indianapolis.

An academic. Well, an academic from the state of Indiana, but, he seemed like a right guy, and I needed the work. Besides, I had my own ax to grind. You see, Microsoft Office 97 documents contain a little something in their source code called a Globally Unique IDentifier (GUID). A couple months earlier, I had discovered if you have an Ethernet card, your individual Ethernet address shows up in the GUID. Translation: an electronic fingerprint. Email a Word attachment, and it can be traced back to you. It is a privacy issue, plain and simple, but none of the single-minded privacy wonks had really listened to me. They had thicker blinders than a racehorse with ADD, and all they wanted was to get Intel for putting serial numbers in Pentium 3. Intel wasn't my business. This was.

I shot J. Merritt a reply. "Are there any GUIDs or names in the source code of 'List.doc' messages?"

He replied, obedient as a Siegfried and Roy tiger. "Here are the GUIDs from three different email attachments of the message people here received."

The Ethernet addresses in the GUIDs were identical, like twins cruelly dressed in matching red overalls and child leashes.

"Better send me Melissa," I replied, short, sweet and simple. "And make sure she's wrapped."

Chapter Two

It was Saturday morning when I ducked out of the www.rain.com and into www.dejanews.com. It was a wide, clean site with a banner ad for a long distance phone outfit running across the top. No Dennis Miller, no George Carlin, not even a Tony Danza hocking the poor service; just some old geezer with sad eyes and a tight mouth. Still, five cents a minute isn't anything to sneeze at, and it wasn't pretty to figure the ad was clicked on about as much as the Lifetime Channel in a frat-house rec room. Nobody had to remind me -- the only job in cyberspace lonelier than a virtual sleuth is an e-commerce salesman.

Dejanews.com keeps a record of all the newsgroup messages anyone ever sends. Anywhere. Any newsgroup. It knows your past. If you have one. Melissa had one. I typed "Melissa" and "virus" into dejanews' search engine and waded through the sticky muck. A little girl's guinea pig named Melissa with a virus. A coed named Melissa with a ten-page paper on stomach viruses due in three hours. Another dame named Melissa wanting to know if the plural of virus is virii. It was sad stuff, the kind of stuff that can keep a man up at night pondering the meaning of this godforsaken World Wide Web. I pulled a bottle of Château St. Jean merlot out of a deep drawer. It was a little number I had picked up at the Sonoma County Reserve. I sniffed the cork, poured myself a glass, took a sip and plodded on.

Twenty long minutes later and eight long sips down the hatch, I hit bull's eye. Dr. Solomon's Virus Patrol, an anti-virus peddler with more arrogance than a firefighter blowing out a match, had the rap on Melissa. She had dropped early Friday morning from the account skyroket@aol.com. The doctor wrote, "Warning! A virus has been found in a binary file posted to the following newsgroups(s): alt.sex." I shot skyroket@aol.com an email and, not expecting anything there, followed the doctor's lead.

It takes moxie to call alt.sex a newsgroup. There isn't much news going on. There is plenty of everything else. For a price, you can have anything you want, and I wanted none of it. Live sex video feeds, audio orgasm streams, flash porno animations, dames and fellas, mostly underage, with every sick fetish known to man. I kept my cool and my mouse to myself. I spotted the message from skyroket@aol.com, and that's when my inbox quacked.

Chapter Three

Miss Melissa was poised in the top position of my Eudora email inbox, beckoning. She was urgent, personal and in bold-type face. She had a nice, long, smooth subject heading, and she made sure I saw it. She had the weary, hard look of a topless dancer who'd slithered around too many poles. But her giggle, the giggle of a school child with an extra fruit roll-up in her reusable lunch bag, said she'd found new life in the computer virus racket. Still, there was something about her that was too frisky, too needy, like one of those digital Tamagotchi pets on the shelf of a Toys "R" Us, three days after Christmas. She giggled again. And then she purred, "I'm an important message from your friend J. Merritt. How 'bout a drink?" I poured us both a glass of merlot, knowing just what to expect.

Yeah, I could see how a bird could get dizzy with this dame. But, to me, she was just a dope. I gave her a ;). "Sugar, the game's up. J. Merritt sent me to you wrapped in a zip file. You can't infect me. You've had your fun, and so now let's be nice." I knew it was probably a stolen account, a piss-poor attempt at creating a patsy, but I asked anyway. "Who's skyroket@aol.com? Who's your daddy?"

"Go ______ yourself," she stammered and shook her glass at me. Merlot running down my face, I grabbed my binary dump program and dumped her attachment into a hex file. The hex file would let me poke around. The attachment listed every sleazy porn site from www.creamythighs.com to www.cyberstrip.com and passwords, all probably bunk. Could be spam sent out by an adult site racket, but I doubted it. Miss Melissa didn't seem the type. Tears welled up in her eyes. She cried, and under her hot, tense breath, murmured, "Go ______ yourself" and collapsed into my arms.

I could see her code now, and it wasn't pretty. She was a mess. Sloppier than a sloppy joe. Then I spotted them. The GUID and an author name. John Holmes. I let myself chuckle. The late porn star, a.k.a. Johnny Wadd. Same stiff they based Dirk Diggler on. Thirteen inches, they said. Died of the AIDS virus in the Eighties. Whoever wrote Melissa thought he had a sense of humor. And he was probably an older egg. I looked up skyroket@aol.com on dejanews. This guy had dropped viruses before. AOL hadn't done anything. Yep, this was starting to get interesting. It was time to pay another visit to alt.comp.virus and dangle the bait. I shot the newsgroup an email of everything I knew. This wasn't going to be fun. I slept that night like a baby really does.

Chapter Four

He said his name was Mr. Lord Natas. Satan spelled backward. He was paying me a Sunday-morning visit in my inbox. Just another virus writer trying to scare me off the case. Cute. He cut to the chase. "So, another stalker? It is always a sad thing to see when people have absolutely nothing to do with their time. And people ask me why I use anonymous remailers." Not so cute. He included quotes from Nietzsche and one from Charles Manson, favorites of lost adolescent souls who are anything but virtual. I could have tracked down his email address, shot him a message that crashed his machine. I left it alone. I looked at my reflection in the window. I'm in my mid-forties, my face widening and crinkling at the same time, small, faint brown spots finding a permanent address on my upper cheeks. My salt-and-pepper beard needed a trim, but the barbers weren't playing that game anymore. Too much blood. Too many nicks. One very real virus. I glanced to my right at my daughter on her computer. She emailed freely and sweetly to her pals about boys and math assignments. Her inbox; that was why this was all worth it.

Chapter Five

It was six o'clock Sunday night when Fredrik Björck -- a young, bright-eyed Swede with a techie-sounding job and too few c's and too many j's in his name -- appeared in my inbox, a wide-eyed :) in his subject header. This was all fun and games for Fredrik, but I had a hunch he could help. He had found skyroket@aol.com's homepage. It had more virus-making tool kits spread out across the site than copies of Ally Sheedy's poetry book in a Barnes and Noble bargain bin. Everything any kid who was made fun of at school needed to wreak havoc. All the tool kits had the mark of one bird, VicodinES.

Fredrik gave me the skinny. "VicodinES is a well-known Macro virus maker that is now said to be retired. But, VicodinES is not really retired. They never are." And there it was, plain as an Arthur Andersen consultant. "VicodinES takes credit for creating a Word2000 Macro virus kit," Fredrik beamed. "And it does the similar things to Melissa. Any ideas?" I checked the GUID of the Word2000 macro virus kit. It matched Melissa.

One of the virus kits linked to www.sourceofkaos.com, a cold, proud, umbrella site, out in the open and reachable by any old Yahoo! It was home to more than 30 of the filthiest virus writers. (A news hawk at The New York Times would later track www.sourceofkaos to a home in Orlando where a scared mother would tell him the leader of the racket was at school.) It didn't take long to find VicodinES's site. There were more virus tool kits than before. I downloaded the kits. I dumped them into hex files. Same GUIDs -- or so I thought -- and more names in the source code. J.P. Morgan, Ben Dover and Dr. Diet Mountain Dew. I definitely had a bad comedian on my hands. I made a mental note to find out how much Pauly Shore knew about computers and moved on. Bingo. Mr. VicodinES had been sloppy. He didn't always change the author names. Two stood out, repeating over and over again like a broken CD-ROM. "David L. Smith" and "Gerald Vernesky." I'd bet my Thinkpad one of them was our man.

Finding the right David L. Smith would be like finding a needle in Keith Richards' dressing room. I decided to start with Gerald Vernesky. It was back to dejanews for another favor. I typed the letters in V-E-R-N-E-S-K-Y slowly, my fingers following each key carefully down into its groove. I pressed "search" and waited. I pulled a bottle of '98 Kistler, a Chianti, out of a deep drawer. I sniffed the cork. Something was wrong. I had bought the bottle at an online auction. It had been a steal. Too much of a steal. I picked up the slender bottle, walked downstairs to the kitchen and poured the Chianti into the sink. I grabbed a Klondike bar from the freezer and headed back up. His messages were waiting for me. Gerald Vernesky had posted two messages in the past two years in alt.comp.virus. It was time to call the feds.

Chapter Six

Monday, skyroket@aol.com replied to my email. "Sorry, I am not the creator of the virus, nor did I have any part in the distribution of the virus. Sincerely, Scott Steinmetz." I believed him. His account must have been stolen. He was probably being swamped with nasty emails from birds who had run out of pals to email from work. I had nothing else to do. I felt bad for him. The calm before the newspaper story.

Tuesday, the Times ran the story. No mention of Gerald Vernesky or David L. Smith. Plenty of inches on me. Plus my photo. It'd be good for business. Which meant it'd be a headache. The trade journals called first. The dailies, a little later. One news hawk from a local rag wanted to know, "Is the search for the Melissa virus running into some hurdles?" I wanted to know if his brain had been surgically removed as a baby. But, I kept my cool. I had to. The local news vans were parked outside, calling in from their cellulars, emailing from their laptops. This was no time to shun the news hawks. Most of them had less to tell me than Ronald Reagan trying to compose his memoirs, but, maybe one of them had something.

Wednesday, my phone kept ringing. It was too early for a Klondike bar. I had one anyway. I dripped ice cream on my keyboard. I said, "Shit," and logged on. The feds had taken down the www.sourceofkaos.com server. I said, "Shit," again. The phone kept ringing. I picked up the receiver. Chris Taylor was a hard-nosed, all-business Brit, working stateside, covering technology for Time magazine. He kept his nose close to the screen and his ear to the RealAudio player. He'd been spoon-feeding readers who couldn't program a clock on a VCR for some time. He knew to check the obvious. He had done a search for VicodinES on dejanews. He had the rap on every time VicodinES had sent a message, and he was ready to talk. VicodinES had spent some time in the rec.music.industrial newsgroup. One message from 1995 stood out like a World Series ring on a Boston Red Sox player. "There's a promo party for Cleopatra's Enchantments this Monday at Nemesis in Ft. Lauderdale. We will be giving away promo CDs, tapes and postcards -- VicodinES@aol.com. Peace, Vic." Ft. Lauderdale. We weren't in cyberspace anymore.

Chapter Seven

I was closing in on Gerald Vernesky when Rishi Khan appeared in my inbox Wednesday night. Subject heading: "Cohorts in the Melissa Virus Ordeal." Rishi was an undergrad, University of Delaware, with an Indian mom, Italian pops. Dinner at his home must have been interesting. Computer engineering was Rishi's racket, and he had a brain the size of an African elephant. "Here's some digging I've done. I doubt all the ingenuity of the virus came from one person." He had found some other VicodinES tool kits. They had different Ethernet addresses. Could be more than one person. Could be one person with two Ethernet addresses. I wasn't ready to commit, but Rishi had more, and he wasn't holding back. Subject heading: "Hate to say this but..." Half the tool kits I had downloaded on VicodinES's Web site actually had been created by a bird going by ALT-F11. I had been sloppy before, I hadn't noticed. There was more. All 32 numbers of the GUID on a virus by ALT-F11 called Shiver, matched the Melissa GUID. There was more. Miss Shiver contained an attachment with the same list of porno sites. Rishi didn't mince words. "The only fingerprint that was found DOESN'T point to VicodinES...it points to ALT-F11." It was April Fool's Day, and it looked like I played the part well.

I stayed up all night. A Klondike bar in one hand, glass of '98 Duckhorn merlot in the other. Rishi was smart, smarter, maybe, than I was, but he was young. Then again, was I too old? I stared out the window, the Prudential Building and the John Hancock taking the place of stars. When you wish upon a building.... I couldn't make heads or tails out of the case, but I knew one thing. A dead end for Rishi was a dead end. For me, it was a place to start. I decided to pay Miss Shiver a visit.

Chapter Eight

Shiver was an older virus, and she craved more attention than a junior high school principal at an all-student assembly. She knew why I had come. She knew I was going to come. She knew she was going to let me in. "Go ahead and dump me into a hex file, big fella," she purred. "Maybe, you'll be a good boy and tell your friends at The New York Times about me." I was silent. I pulled out my binary dump file, and dumped her in a hex file. Her code was clean, indented and readable. She was the kind of code you could take home to your computer professor. "Tell me about Melissa, sugar," I demanded. She sulked, her age showing as salty tears got caught in the wrinkles of her typeface.

"So, you're just here about Melissa. What about me?"

"You knew I wasn't interested in you, baby. Now, spill it."

"OK, I was created by ALT-F11. Melissa stole my attachment of the porno sites. She was created by VicodinES, that sloppy, son of a---"

Chapter Nine

She passed out in my hex file. I took a snoop around. Miss Shiver was right. The GUIDs on her and Melissa matched, but the virus programming codes were as a far apart as a Mormon from Dennis Rodman. Melissa was sloppy and had VicodinES' fingerprints all over her. It had been revised at 6:45 a.m. It had dropped from skyroket@aol.com a half-hour later. That told me three things. One: VicodinES had dropped Melissa. Two: To be dropped at such an early hour meant VicodinES probably lived on the East Coast. Three: VicodinES must have lifted the list.doc of porn sites from Shiver, changed the date at the top of the list and attached to Melissa. The only question remained: Who is VicodinES?

It was Friday morning, around 8 o'clock, the loud honk of a beat-up Chevy calling on the teenager who lived down the street. For all I knew, he could have been VicodinES. The kid down the street. Cyberspace. It brings us together, they say, but I could go all the way around the globe just to get to the kid down the street. I was still leaning hard toward Gerald Vernesky, but I had another hunch. I took another look at a tool kit I had breezed by. Vernesky was there. So was John Holmes, J.P. Morgan and Dr. Diet Mountain Dew. Nothing new there. But, one name kept appearing. David L. Smith. David L. Smith. David L. Smith. It had to be him. I sat there for 15 minutes. It was time to make my move. The phone rang. It was my pal at The New York Times. "The New Jersey police have arrested a guy. His name is David L. Smith."

Epilogue

It's two weeks after Melissa dropped. She's still appearing in people's inboxes, her subject heading, once so enticing, now just a pathetic reminder of what she once was and how easily we believed. The antivirus companies have her under wraps. A simple download. David L. Smith is out on bail, somewhere, as Bruce Springsteen might say, in the swamps of Jersey. The New Jersey police had nabbed Smith the old way: tracing phone lines. AOL had traced skyroket@aol.com's dropping of Melissa to an ISP in Monmouth, New Jersey. The phone number had left caller ID on. They had a phone number. They had a name. The name confessed. My work didn't solve the case. I was used to that. New Jersey says David L. Smith isn't VicodinES. My hunch says he is. The two names have appeared together more times than Ben Affleck and Matt Damon. But, is Gerald Vernesky another alias for David L. Smith? Or is he ALT-F11? When will ALT-F11 strike? And when he does, who will get hurt? My daughter's at her computer right now. Her email box just quacked. I think she's safe... for now.

Richard M. Smith is president of Phar Lap Software, Inc., which specializes in real-time operating systems and embedded development tools.