
The “Melissa Worm” Through the Eyes of the FBI - morisy
https://www.muckrock.com/news/archives/2019/nov/13/the-melissa-worm-through-the-eyes-of-the-fbi/
======
octosphere
More on Melissa here and also some more detail on David L. Smith:
[https://en.wikipedia.org/wiki/Melissa_(computer_virus)](https://en.wikipedia.org/wiki/Melissa_\(computer_virus\))

> The virus itself was credited to Kwyjibo, who was shown to be the macrovirus
> writers VicodinES and ALT-F11 by comparing Microsoft Word documents with the
> same globally unique identifier

Not sure how that explains how the FBI caught David though. Can someone else
elaborate? What sort of OPSEC fail is at play here?

~~~
jtaft
Just a guess. Sounds like the global identifier is generated at installation,
tied to a license key, or perhaps even a unique file/system fingerprint. When
saving/creating a word document, the identifier is embedded in the document.

If the same identifier is found in documents for legitimate use and malicious
use, one can associate the two identities.

One could potentially get a few suspects by approximating the time the the
virus appeared, then looking at ISP logs and server files to determine when
and who uploaded it, and go from there. If it was a legitimate copy of word
being used, could be even easier.

~~~
pbhjpbhj
Anyone know where unique document identifiers in MS Office products are
documented?

~~~
steve1977
Internally at Microsoft I'd guess. ;)

