From ZDNN
http://www.zdnet.com/zdnn/stories/news/0,4586,2233931,00.html
Melissa creator may be uncovered
Thanks to a controversial serial ID number, researchers seem to have found
the virus writer.
By Robert Lemos, ZDNN
March 29, 1999 5:49 PM PT
Two software engineers have extracted information from the Melissa virus
that appears to lead to an account on America Online Inc. and a Web site
that, if matched with a person, could lead law enforcement officials to the
author of the prolific virus.
The key is a controversial serial number, called the Global Unique
Identifier or GUID, which is included in files created with Microsoft
Corp.'s (Nasdaq:MSFT) Office, as well as some other applications, including
Visual Basic. The serial number raised the concern of privacy advocates just
a few weeks ago for its ability to be used to trace certain documents back
to their creator.
That's exactly what two software engineers have done. Using the unique
number, Richard M. Smith, president of software tools developer Phar Lap
Software Inc., and Fredrik Bjorck, a Swedish PhD student at Stockholm
University's Department of Computer and System Sciences, have tracked down
the virus writer to at least one specific Web site.
"We can't be one hundred percent sure," said Smith. "There is a possibility
that (the Web site author) was framed. There is a possibility of little
green men coming from Mars, too."
In other words, the electronic "fingerprints" on the Melissa virus inserted
in the Word macro and those on the documents posted on the Web site are the
same. The electronic fingerprint, called the media access control (MAC)
address, is a unique serial number for a PC's Ethernet card.
The Web site belongs to a malicious hacker, and a writer of virus tools,
known by several handles, including VicodinES, Sky Roket, John Holmes, and
Johnny "One Leg" Johnson, among others, according to Smith.
Posted on alt.sex
Sky Roket is the name of an America Online user, and is also the name on the
original e-mail that posted Melissa to the alt.sex newsgroup. But Smith
believes that Sky Roket is being used to camouflage the activities of
VicodinES. America Online (NYSE:AOL) would not comment on whether that
particular user was being investigated by the FBI. The FBI also declined to
comment on any potential investigation.
However, whoever controls Sky Roket has a history of posting viruses. Under
the same handle, at least three viruses were posted in late 1997 in exactly
the same manner (1, 2, and 3). All were attributed to VicodinES's authorship.
According to Phar Lap's Smith, the MAC address derived from the Word
document's GUID and the one derived from the documents on Web sites
registered to VicodinES and Sky Roket match. The connection was first
pointed out by Bjorck in Sweden.
ZDNN has independently confirmed that documents accompanying an Office 2000
macro virus on VicodinES's Web site, created by the person using the Vicodin
handle, include the same electronic fingerprint as the Melissa virus.
Another one of VicodinES's files is stored on Skyroket's personal site on AOL.
This could be a costly mistake for the writer. The FBI is looking to
prosecute the writer with a fine of $350,000 and five to 10 years, according
to statements made by Michael Vatis, director of the National Infrastructure
Protection Center.
- Re: [CTRL] Melissa creator may be uncovered Don Allen
- Re: [CTRL] Melissa creator may be uncovered Divinewill
- Re: [CTRL] Melissa creator may be uncovered Tim Griffiths
- Re: [CTRL] Melissa creator may be uncovered Epona
- Re: [CTRL] Melissa creator may be uncovered Teo One Thousand
- Re: [CTRL] Melissa creator may be uncovered Teo One Thousand
