The hunt for Melissa leads to 'ex' virus writer
Published: 30 Mar 1999 09:17 BST
Roger Sibert, the systems administrator for Source of Kaos, a site frequented by virus enthusiasts, said that site log files showed that VicodinES had not been active on the site in the last 30 days. Code written by VicodinES has been linked to the Melissa virus, which has run wild on the Net since first appearing last Friday.
"Last I heard, he'd gone into retirement," Sibert told ZDTV Monday night. Sibert has not yet been contacted by the FBI, but said he would cooperate with them fully if they did get in touch. "I'm not hiding anything," he said.
Sibert said he has had contact with VicodinES through e-mail and Internet Relay Chat forums and was impressed with his code writing skills. "He's probably talented enough to do it (the Melissa virus)," he said.
Sibert said he last had contact with VicodinES between 8 months and 12 months ago, when VicodinES had requested that his page be made inactive, as he was going into retirement. The Melissa Virus contains a unique number -- the Global Unique Identifier or GUID -- embedded in the header of the word file. That number points to the computer that actually created the Word document. ZDTV verified that that unique number is the same as one contained in a virus, called PSD2000.DOC, located on the site of a virus developer known as VicodinES.
However, the unique computer ID is stored in a Word document only once -- when the document is created. Even if a document is copied to a new computer, and saved under a new name, the original GUID number does not change.
As any programmer knows, it's a lot easier to create a new program by building on the work done by someone else. And VicodinES admits on his site that he built PSD2000.DOC based on a virus called Shiver. Shiver is the work of a virus developer calling himself ALT-F11.
ZDTV tracked down Shiver, and checked its GUID, which also matched the unique GUID embedded in Melissa. In addition, another virus created by ALT-F11 -- called 'Groovie2' -- also contains the same GUID as Shiver, Melissa and PSD2000. Since ALT-F11 claims to have written both Groovie and Shiver, it's likely that the GUID in all those viruses maps to his workstation.
A check of the other word macros created by VicodinES found that PSD2000.Doc was the only file with that GUID. All of the others, which VicodinES claims he created himself, had a different GUID.
What does all this mean? Whoever wrote Melissa built the virus around a Word file originally created on the same machine that Shiver was originally created on. Was this ALT-F11? Possibly, because Shiver and Melissa share the same GUID. However, since virus developers frequently build on the work of others, in the same way that VicodinES built on Shiver to create PSD2000.doc, VicodinES could have written Melissa, as well.
A third possibility exists, too. Another virus developer could have built Melissa out of the core of Shiver, or another out of another virus created on the same machine as the core of Shiver. Finally, someone could have taken the PSD2000.doc file and enhanced it into Melissa. Because Vicodin appears to be the first person to have created a Word 2000 macro virus, it could be that the virus creator built Melissa out of Vicodin's PSD2000.doc virus.
Who is ALT-F11? Our information is spotty, but ALT-F11 is a part of the self-styled Alternative Virus Mafia.
Take me to the Melissa Virus News Special.
Did you find this article useful?
51 out of 98 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
