Is VicodinES the Author of Melissa?
I've been exploring virus files and websites for the last few days, and I've uncovered a number of interesting facts that strongly suggest that VicodinES wrote the Melissa virus.
Here's the case, so far, in favour of VicodinES -- but, remember, the case isn't closed yet. The most damning evidence comes from the GUID contained in the List.Doc file that forms the heart of Melissa. List.Doc contains the virus code that generates all those email messages. The GUID is a code that uniquely identifies the PC that created the document. The GUID is generated when the file is created, but it is not updated even if that file is renamed and stored on a separate computer.
A virus-infected Word 2000 file, PSD2000.DOC, found on VicodinES's site contains that same GUID. Although the other files on Vicondin's website contain different GUIDs, the fact that even one file has a GUID that matches makes VicodinES a prime suspect. PSD2000.DOC is also the first Word 2000 macro virus we've seen. Since Word 2000 (a part of Office 2000) has yet to ship, these viruses are relatively rare. In fact, on VicodinES's site, he congratulates himself for developing the very first Word 2000 macro. Melissa is a Word 97 and Word 2000 macro, and both contain the same GUID, which means both were built on the same workstation, or both were based on the same original document.
Why did Melissa include support for an application that hasn't shipped yet, and why does it require additional coding to support? Perhaps because the author wanted to trumpet his Word 2000 expertise to other virus writers. And that behaviour matches remarks made by VicodinES on his website.
VicodinES obviously craves attention. His website includes faked press releases touting his supposedly superior expertise in writing macro viruses, and calling a previous effort a "stunning achievement." And at the end of the page, he says in his own words "feel the chill in the air? yea? that's me." And on another part of the site, he states that "all this media attention is getting difficult to ignore." VicodinES hates to be ignored. He lambastes Network Associates Inc., the developer of McAfee's antivirus products, for failing to include protection against one of his viruses.
In another part of the site, he quotes Jimmy Kuo, director of antivirus research at Network Associates, calling one of VicodinES's progeny "one of the most widespread viruses around right now." Whoever created Melissa also craves attention -- and he or she is obviously receiving it.
Another clue is the information that surrounds Melissa. The Word file that makes up the Melissa virus contains about 80 URLs, user names, and passwords for adult-entertainment websites. Obviously the author of the virus is no stranger to these sites. VicodinES also enjoys the odd randy picture. A different suggestive graphic graces the top of every page on his website.
When we talked to Roger Sibert, the administrator of the Source of Kaos site that hosts VicodinES, he claimed that VicodinES had retired. But that may not be true. One of the fake press releases on VicodinES's website clearly contradicts his retirement. The full text states: "When asked about being 'retired' from virus writing, VicodinES started cursing loudly into the phone and yelling about warm diet soda, then the phone hung up. I can only assume that meant that he didn't want to discuss that subject." A December press release stating that he's still writing viruses, plus his development of a Word 2000 virus, suggests that he's still quite active.
Finally, even his virus-writing peers seem to think VicodinES is the culprit. During a chat yesterday on an IRC channel where virus writers hang out, the participants were discussing Melissa and VicodinES. One member said, "Vic is gonna get in deeeepppppp s*** over this one." According to Roger Sibert, VicodinES uses the nickname Vic regularly on IRC. It appears even the close-knit virus-writing community thinks VicodinES did it.
Certainly many facts and circumstances point directly to VicodinES. But there's a few facts that just don't fit. Tomorrow I'll be writing about the case for why someone else, not VicodinES, wrote Melissa. But I need your help. If you have any evidence, pro or con, please post it below, or email it to me at jim@zdtv.com. And VicodinES, if you're out there, I'd like to get your side of the story out as soon as possible.
Jim Louderback, is the editorial director of ZDTV
Take me to the Melissa Virus special.