When Melissa Virus Transformed World’s Perspective on Cyber Security

4 min readMar 22, 2021

I know that you must be wondering how the Virus got such a cool name? How a Virus had the potential of a humongous perspective transformation about cybersecurity? What actually happened?

Keep reading to know everything about THE MELISSA VIRUS!

The Release

It had been just a few years since Microsoft Outlook was launched and only a small percentage of people were familiar with the computer technologies like viruses, let alone cybersecurity in the year 1999. The common public was still understanding the e-mails when David L. Smith seized the opportunity of unawareness with both of his hands.

David L. Smith successfully created the first email-aware computer virus — Melissa Virus — reportedly named after a Florida stripper whom Smith knew. On March 26th, 1999, Melissa Virus was released which caused whopping damage of about $80 million!

However, now this incidence is looked back in a positive notion. It made the tech enthusiasts understand the vulnerabilities and make progress with different problems in cybersecurity.

The Working

The victim received an e-mail that appeared to have been sent by a trustworthy person (someone from your family, friends, or relatives). What made it more appealing was the subject line and the document attached to it. Here’s how it looked like:

Melissa Virus

It modified the Word software so that the virus infects any document that the user may open and close. If these documents are shared, the virus is spread. It spread itself via the infected Word Document, titled list.doc. As soon as the user downloaded the attachment, it copied itself to the user’s default template and disabled the program’s macro security settings. It then mailed the infected document to the victim’s first 50 contacts on Outlook. Now, think of the chain reaction: From one person, 50 people were getting attacked within minutes. There were also many groups in those contacts! This feature caused the huge damage that we learned about earlier.

The Impact

It completely damaged large companies that had a huge amount of emails being created on their web servers. It managed to disrupt hundreds of networks including those of Microsoft! The New York Times reported in March 1999 that 250 organizations had called the Computer Emergency Response Team, a Pentagon-financed security service at Carnegie Mellon University, which meant that at least 100,000 workplace computers were affected. The final number of infected computers was much larger.

Fortunately, aside from shutting down e-mail systems, Melissa did not reportedly permanently damage government and private sector information systems and did not compromise sensitive government data

The Arrest

The Federal Bureau of Investigation and The New York Jersey Police led the investigation with the help of a computer scientist and electronically tracked down Smith after a week of the release. Smith acknowledged that he was behind the release of the virus but pleaded that he had not anticipated that it will create this much impact. He said that it was intended to be a “harmless joke”.

Smith served 20 months in jail in addition to the $5,000 penalty. He could have been imprisoned for a longer time period, but it was shortened for he promised to help the authorities with other viruses.

Further Impact

The incident was taken as a ‘wake-up call’ because it clearly proved how many vulnerabilities were still to be taken care of. The need for further advancements in technology was acknowledged. It also increased the awareness among the common public and people were more cautious about their presence on the internet.

However, it also inspired hundreds and thousands of the malware attacks like the LoveBug.

The Lessons

  • Melissa showed just how quickly viruses can spread due to the intricate and extensive connectivity of today’s networks.
  • Melissa showed how hard it is to trace any virus back to its source. Without the cooperation of the third parties and sources, the attacker would have never been identified.
  • Melissa demonstrated that vulnerabilities in widely adopted commercial-off-the-shelf (COTS) products can be easily exploited to attack all their users.
  • Melissa illustrated a lack of effective agency and governmentwide processes for reporting and analyzing the effects of computer attacks.
  • Melissa proved that computer users can do a good job of protecting their systems when they know the risks and dangers of computing and when they are alerted to attacks.

The Measures

To help strengthen computer security practices, the Computers and Telecommunications Accounting and Information Management Division issued an executive guide in May 1998 entitled Information Security Management: Learning From Leading Organizations (GAO/AIMD-98–68). By adopting the following 16 practices recommended by the guide, agencies can be better prepared to protect their systems, detect attacks and react to security breaches:

The Conclusion

Federal agencies were fortunate that the worst damage done by Melissa was to shut down e-mail systems and temporarily disrupt operations. The Information Security Best Practice guide offered a good framework for agencies to follow (at that time), but sustained governmentwide leadership was still needed to ensure that executives understand their risks, monitor agency performance, and resolve issues affecting multiple agencies.

However, it demonstrated the urgent need for stronger protection over systems and sensitive data.

This is all for the study on Melissa Virus. I really hope it added something to your knowledge. I will be back again with something new super soon.

Till then, happy learning!




Cyber Security Student | Reader | Book Reviewer