FBI Seeks Talk With Computer Virus Suspect

A 23-year-old Cornell University graduate student who has emerged as the prime suspect in the spawning of a computer virus returned Saturday to his parents’ home in the Washington area and was fending off potential FBI interviewers until he could consult a lawyer.

Meanwhile, Cornell University officials said the student, Robert T. Morris Jr., left telltale passwords in his computer files that appear to link him to a nationwide outbreak that crippled thousands of government and research computers for at least 24 hours on Thursday. One university official confirmed that the FBI has sought their cooperation.

Morris, a graduate student in Cornell’s computer science department and son of a respected government computer security expert, also appears to have masked many of his computer files in secret code, investigators said, making the search for further evidence more difficult.

‘No Fingerprints’

“We have no fingerprints, we have no eyewitness, but it was created on his computer account,” Dean Krafft, a Cornell research associate who is leading the university’s investigation, told reporters Saturday in Ithaca, N.Y.

Morris’ parents confirmed that he had returned to the family home at Arnold, Md., but declined to answer inquiries about their son’s whereabouts or his activities. Investigators for the FBI were seeking to interview him, as were computer experts from the Defense Department, which runs the computer network called ARPANet, over which the virus was transported starting Wednesday night.

Robert T. Morris Sr., a top computer security expert with the National Security Agency, said Saturday that both he and his son were taking steps to get legal representation. He told the Washington Post in a telephone interview that his son was “simply unavailable . . . and will remain unavailable until he has time to retain a lawyer.”

The FBI is seeking to determine whether the virus harmed any computer system operated or controlled by a government agency, a condition that would allow prosecutors to seek criminal indictments under the Computer Fraud and Abuse Act of 1986.

In a telephone interview with The Times, M. Stuart Lynn, Cornell’s vice president for information technologies, said that “there was about a 90% overlap” between the list of passwords found in Morris’ computer account and a list of passwords contained in the virus.

The similarity between Morris’ list of unauthorized passwords and the virus’ internal targeting program establishes the strongest link yet between the graduate student and the costly computer infection that swept the nation’s universities and research institutions.

“It would be like if you went and stole a set of keys to a whole bunch of houses and gave those keys to a burglar--in this case the virus--who proceeded to break into the houses” and wreak havoc, Lynn said.

Researchers on Saturday were mostly recuperating from the 2 1/2-day, round-the-clock effort to restore computer systems to normalcy and to decode the virus program. Most of the program had been deciphered, but the computer scientists said they were no longer allowed to discuss the virus because of a Pentagon directive.

But the experts did say they were surprised to find that the virus apparently contained no message from its programmer. Virtually all previous viruses have contained some type of message, ranging from a simple “Merry Christmas” to a “gotcha” that appeared on video monitors after a virus had destroyed the user’s programs and data files.

The absence of a message suggested to some that the programmer, whether it was Morris or someone else, did not intend for the virus to be released into the networks. Experts considered Morris’ practice of encrypting, or coding, many of his computer files to be unusual and added that if Morris refuses to cooperate it could prolong or even stymie the investigation while government cryptologists and computers worked to break the codes.

Unless Morris employed standard codes widely used to provide minimal protection, the effort to decipher Morris’ codes would probably involve experts and computers at the National Security Agency, the nation’s electronic spying agency where Morris’ father is chief scientist in charge of computer security.

The senior Morris has written extensively on the security of the UNIX computer operating system, the widespread use of which made universities and research institutions susceptible to the virus. Before assuming his current position, Morris worked at AT&T;’s Bell Laboratories, which developed the UNIX system.

A spokesman for Bell Labs said the junior Morris worked in the firm’s Computing Science Research Center during the summers of 1983 and 1984.

Morris’ mother, Anne Morris, told the Associated Press on Saturday that her son had begun playing with computers when he was in his teens. At that time, she said, Robert Jr. had read a science fiction book titled “Shock Wave Rider,” which she said first raised questions in his mind about computer viruses.

Staff writers Thomas H. Maugh II, in Los Angeles, and Ronald J. Ostrow, in Washington, contributed to this story.