Famous Case Studies

This is a famous case of Macro Virus described in Virus Tutorial. The MS Based Macro Virus appeared out of a sudden from nowhere and spread to nearly all kinds of computer systems Generally, it is transmitted through an infected document with malicious code embedded inside. Anyone who activates this infected document would then be infected. When the infected files are activated, they automatically send out the infected copies to up to 50 people in the address list, particularly in Microsoft Outlook Express.

A computer programmer released the Melissa virus in March 1999 by deliberately posting an infected document to an sex usernet newsgroup from a stolen AOL account. The virus, believed to be named after a stripper he had known in Florida. It also occasionally corrupts documents by inserting the text “twenty-two, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”

Microsoft, Intel, Lockheed Martin, and Lucent Technologies were forced to shut down their email gateways because of the large amount of email the virus was generating. Melissa virus caused more than $80 million in damage to North American businesses.

Now, there are quite a number of variant cousins written by the apparently copycats soon thereafter. Many anti-virus researchers at the time were not surprised by what Melissa did, but rather by the fact that Melissa writer had the foolish boldness to release the virus. He was subsequently tracked down, arrested and pleaded guilty (see the section virus crime).

CodeRed Worm

The "Code Red" worm was discovered on July, 2001 and is causing widespread denial of service on the Internet and is compromising large numbers of vulnerable systems. Any product or platform running a vulnerable version of Microsoft IIS may begin attempting to infect other systems with varying degrees of success, and may cause a significant increase in traffic load. Please refer to Carnegie Mellon Software Engineering Institute

The Worm spreads by using HTP request. This code exploits a known buffer overflow vulnerability, which allows the worm to run on your computer. The code is not saved as a file, but is inserted into and run directly from memory. In addition to seeking out new host computers to attack, the worm may attempt a Denial of service attack. Also, the worm creates multiple threads, which can cause instability on your computer. If the default language of the computer is US English, threads cause the Web pages to appear defaced. First, the thread sleeps two hours and then hooks a function, which responds to HTTP request. Instead of returning the correct Web page, the worn returns its own HTTP code. The HTTP displays:

Welcome to worm.com !
Hacked by Chinese !

This hooks for 10 hours and is then removed. However, reinfection or other threads can rehook the function.