Tracking Melissa's alter egos

Tracking Melissa's alter egos

Summary: An e-mail trail links David L. Smith and a mysterious virus writer to a small ISP.

SHARE:
Are David L. Smith, the man charged with originating the Melissa e-mail virus, and VicodinES, the virus writer linked to Melissa's creation, the same person? Or are they a virus-writing duo?

A CyberCrime investigation of the Internet Protocol address of an e-mail sent by VicodinES has uncovered a startling coincidence -- both Smith and VicodinES are associated with a small Internet service provider in Monmouth County, N.J. -- and raised questions about the origins of Melissa.

The connections between Smith, VicodinES and the investigation into the Melissa virus are extraordinary:

Smith, 30, of Aberdeen, N.J., once had an online account with Monmouth Internet, an ISP with 13,000 members.

VicodinES's last known e-mail, on Jan. 11, was sent from an IP address that belongs to Monmouth Internet.

Law enforcement officials investigating the Melissa outbreak have spoken to both Smith's ISP and VicodinES's Web host.

Melissa's mystery
Ever since Melissa began swamping e-mail systems last Friday, mystery has surrounded the origins and author of the virus.

Until Smith's arrest Thursday night, VicodinES was suspected to be Melissa's author. That connection was made after Melissa was found to contain the same electronic fingerprint -- a Global Unique Identifier or GUID -- as two other viruses created by code writers with the handles ALT-F11 and VicodinES.

Following that revelation, on Tuesday the FBI seized a Web server in Orlando, Fla., that housed VicodinES's Web site on SourceOfKaos.com. SourceOfKaos's system administrator, Roger Sibert, said that the FBI also quizzed him about VicodinES. "They asked me if I know VicodinES, and if I had any way of contacting him," Sibert said.

The Monmouth connection
On Wednesday, the New Jersey state police served Monmouth Internet with a communications warrant. The very next day the state police arrested Smith, who lived in Monmouth County and had a defunct account with Monmouth Internet.

Monmouth Internet operations manager Mark Stevens said the police wanted the log records of who was connected to a specific Internet Protocol address -- 209.191.60.64 -- on March 26, the day Melissa was first posted to the alt.sex message board. Users are randomly assigned IP addresses each time they access their ISP.

"We turned over connection records. Basically, we can tell who was connected to a certain IP at a certain time. So it was one day's worth of logs for one IP," Stevens said. "There could have been two people with the IP that day, there could have been 10."

Stevens said that Smith's Monmouth account was no longer active "probably because of a billing thing."

The e-mail connection
Following Smith's arrest, CyberCrime researched the IP address -- 209.191.30.193 -- from which VicodinES sent his last known e-mail on Jan. 11 to SourceOfKaos's Sibert.

A search of ARIN found that the 209.191.30.193 IP address belongs to Monmouth Internet.

The fact that Smith had an account with Monmouth and VicodinES sent e-mail from a Monmouth IP address raises several questions about the relationship between the two. The fact that the New Jersey police wanted March 26 log details on one Monmouth IP address and VicodinES sent a Jan. 11 e-mail from another Monmouth IP address doesn't necessarily mean they are two different people. Because IP addresses are dynamically assigned to users each time they log onto an ISP, the same person could have used those different IP addresses -- likewise, those two IP addresses could have been used by dozens of Monmouth customers on Jan. 11 and March 26.

Two people scenario
New Jersey authorities -- who arrested Smith Thursday night -- contend that the two central characters in the Melissa story are not alter egos.

Rita Malley, a spokesperson for New Jersey Attorney General Peter Verniero, said Friday that Smith was not VicodinES. "That [VicodinES] is not his [Smith's] handle," she said, but added: "That he might have some sort of connection I cannot say definitively."

All we are saying is "he [Smith] is the primary person responsible for the Melissa virus," Malley said.

So were Smith and VicodinES a virus-writing team? At least one expert argues that Melissa was the work of two programmers, not one.

Greg Miller, a senior consultant with Web programmer Keane Inc., analyzed Melissa's code and said: "The virus is to me the workings of two very different individuals -- one of which is an amateur programmer -- and the other was obviously a much better programmer."

Miller said whoever wrote the e-mail loop -- the part of Melissa which made it so prolific -- was an expert programmer. "In this case it's the experienced programmer who is really responsible for any damage caused since the code written by the amateur isn't any different from the standard macro viruses which have been around quite some time," Miller said.

If VicodinES is Smith's code-writing partner, he could possibly be the more senior programmer. In an e-mail interview, Guillermito, a French virus writer who knew VicodinES only electronically, said the mysterious code writer was a "great guy" who was "aware of the moral problem of spreading viruses."

"Vic is a really good guy, more mature, sensible, curious and competent than any other virus writer. I know a lot of them and vic was one of the more interesting," Guillermito wrote.

"Vic is more of a kind of researcher -- none of his viruses contains a destructive payload."

Alex Wellen, CyberCrime, and Robert Lemos, ZDNN, contributed to this report.

Are David L. Smith, the man charged with originating the Melissa e-mail virus, and VicodinES, the virus writer linked to Melissa's creation, the same person? Or are they a virus-writing duo?

A CyberCrime investigation of the Internet Protocol address of an e-mail sent by VicodinES has uncovered a startling coincidence -- both Smith and VicodinES are associated with a small Internet service provider in Monmouth County, N.J. -- and raised questions about the origins of Melissa.

The connections between Smith, VicodinES and the investigation into the Melissa virus are extraordinary:

Smith, 30, of Aberdeen, N.J., once had an online account with Monmouth Internet, an ISP with 13,000 members.

VicodinES's last known e-mail, on Jan. 11, was sent from an IP address that belongs to Monmouth Internet.

Law enforcement officials investigating the Melissa outbreak have spoken to both Smith's ISP and VicodinES's Web host.

Melissa's mystery
Ever since Melissa began swamping e-mail systems last Friday, mystery has surrounded the origins and author of the virus.

Until Smith's arrest Thursday night, VicodinES was suspected to be Melissa's author. That connection was made after Melissa was found to contain the same electronic fingerprint -- a Global Unique Identifier or GUID -- as two other viruses created by code writers with the handles ALT-F11 and VicodinES.

Following that revelation, on Tuesday the FBI seized a Web server in Orlando, Fla., that housed VicodinES's Web site on SourceOfKaos.com. SourceOfKaos's system administrator, Roger Sibert, said that the FBI also quizzed him about VicodinES. "They asked me if I know VicodinES, and if I had any way of contacting him," Sibert said.

The Monmouth connection
On Wednesday, the New Jersey state police served Monmouth Internet with a communications warrant. The very next day the state police arrested Smith, who lived in Monmouth County and had a defunct account with Monmouth Internet.

Monmouth Internet operations manager Mark Stevens said the police wanted the log records of who was connected to a specific Internet Protocol address -- 209.191.60.64 -- on March 26, the day Melissa was first posted to the alt.sex message board. Users are randomly assigned IP addresses each time they access their ISP.

"We turned over connection records. Basically, we can tell who was connected to a certain IP at a certain time. So it was one day's worth of logs for one IP," Stevens said. "There could have been two people with the IP that day, there could have been 10."

Stevens said that Smith's Monmouth account was no longer active "probably because of a billing thing."

The e-mail connection
Following Smith's arrest, CyberCrime researched the IP address -- 209.191.30.193 -- from which VicodinES sent his last known e-mail on Jan. 11 to SourceOfKaos's Sibert.

A search of ARIN found that the 209.191.30.193 IP address belongs to Monmouth Internet.

The fact that Smith had an account with Monmouth and VicodinES sent e-mail from a Monmouth IP address raises several questions about the relationship between the two. The fact that the New Jersey police wanted March 26 log details on one Monmouth IP address and VicodinES sent a Jan. 11 e-mail from another Monmouth IP address doesn't necessarily mean they are two different people. Because IP addresses are dynamically assigned to users each time they log onto an ISP, the same person could have used those different IP addresses -- likewise, those two IP addresses could have been used by dozens of Monmouth customers on Jan. 11 and March 26.

Two people scenario
New Jersey authorities -- who arrested Smith Thursday night -- contend that the two central characters in the Melissa story are not alter egos.

Rita Malley, a spokesperson for New Jersey Attorney General Peter Verniero, said Friday that Smith was not VicodinES. "That [VicodinES] is not his [Smith's] handle," she said, but added: "That he might have some sort of connection I cannot say definitively."

All we are saying is "he [Smith] is the primary person responsible for the Melissa virus," Malley said.

So were Smith and VicodinES a virus-writing team? At least one expert argues that Melissa was the work of two programmers, not one.

Greg Miller, a senior consultant with Web programmer Keane Inc., analyzed Melissa's code and said: "The virus is to me the workings of two very different individuals -- one of which is an amateur programmer -- and the other was obviously a much better programmer."

Miller said whoever wrote the e-mail loop -- the part of Melissa which made it so prolific -- was an expert programmer. "In this case it's the experienced programmer who is really responsible for any damage caused since the code written by the amateur isn't any different from the standard macro viruses which have been around quite some time," Miller said.

If VicodinES is Smith's code-writing partner, he could possibly be the more senior programmer. In an e-mail interview, Guillermito, a French virus writer who knew VicodinES only electronically, said the mysterious code writer was a "great guy" who was "aware of the moral problem of spreading viruses."

"Vic is a really good guy, more mature, sensible, curious and competent than any other virus writer. I know a lot of them and vic was one of the more interesting," Guillermito wrote.

"Vic is more of a kind of researcher -- none of his viruses contains a destructive payload."

Alex Wellen, CyberCrime, and Robert Lemos, ZDNN, contributed to this report.

Topics: Malware, Networking, Security

Luke Reiter

About Luke Reiter

HAVANA:19840

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion