Virus writing: end of an era?

Computer security specialists say the stiff penalty meted out to the Melissa creator -- years in prison and a $150,000 fine -- will cause other virus writers to think thrice before unleashing their wares

Law enforcement officials and computer security specialists say that David L. Smith's conviction in the Melissa virus case -- the first successful prosecution of a virus writer in the United States -- will have a strong chilling effect on other authors of malicious code.

"We are hoping that the sentence has a significant deterrent impact," said Robert J. Cleary, the US attorney for the District of New Jersey, who led the federal prosecution. "I think this will have the effect we want. Those predisposed to white-collar crimes really do balance risk versus reward."

Smith, 31, pleaded guilty in both state and federal courts on Thursday, agreeing that the virus he wrote and released -- named "Melissa" after a Florida stripper -- caused $80m (£50m) in damages (the minimum monetary amount needed in order to trigger stiffer federal sentencing guidelines).

Smith is expected to receive anywhere between a four- and five-year sentence in the federal case and up to a 10-year sentence in the state case, accompanied by total fines of up to $400,000. As part of the plea agreement, state prosecutors have recommended that the sentences run concurrently. "The sentencing guidelines attempt to minimise disparity. If that works here, then anyone else that sends a virus out that does $80m in damage should expect a similar sentence," said Cleary.

The Melissa macro computer virus hit companies on Friday, 26 March after being released to a Usenet newsgroup as part of a list of porn sites contained in a Word document infected with the virus.

The virus, which mailed itself out to the first 50 addresses listed in the address book of Microsoft's Outlook email client, caused a massive spike in email traffic, flooding corporate email servers. Companies such as Microsoft, Intel, Lockheed Martin and Lucent Technologies shut down their gateways to the Internet in the face of the threat.

Smith -- then a resident of Aberdeen, New Jersey -- was arrested on 1 April by New Jersey authorities. "This becomes a landmark case, because it's the first time the (US) federal government has successfully prosecuted a computer virus writer," said Dr. Peter Tippett, chief technologist at computer security firm ICSA.net, which helped the US prosecutors estimate the damages caused by Melissa.

Tippett and others point to a virus case in England as potential proof that such a deterrent could work.

In November 1995, the UK courts sentenced Chris Pile -- known underground as the Black Baron -- to 18 months in jail. The 26-year-old, self-taught programmer admitted to five counts of unauthorised access to computers to facilitate crime and five unauthorised modifications of computer software over a two-year period. Since that time, no major viruses have come out of the UK, said Tippett.

Smith appeared in Monmouth County, New Jersey, Superior Court at 10am ET on Thursday, followed by his appearance at the US District Court in Newark at 1:30pm ET to answer to federal charges in the case. In both courtrooms, Smith admitted his guilt and agreed with the damages. When the judge in the Monmouth County court case asked if Smith agreed that it caused $80m in damage to computer systems nationwide, Smith replied, "I certainly agree. It did result in those consequences -- without question."

Edward Borden, Smith's attorney in the case, could not be reached for comment.

What do you think? Tell the Mailroom. And read what others have said.

Take me to the Melissa Virus Special.

Take me to the Virus Workshop