Alleged Spreader of Melissa Virus Arrested in N.J.

A 30-year-old New Jersey computer programmer has been charged with launching the Melissa e-mail virus that spread across the world over the past week, infecting millions of computers as far away as China and bringing to a crawl e-mail service on government, education and corporate computer networks.

David L. Smith, who, according to authorities, named the virus after a topless dancer in Florida, where he used to live, was arrested Thursday evening at his brother’s house in Eatontown, N.J. The arrest came after an extensive electronic manhunt that took security experts and enforcement officials to an America Online account hijacked from a Washington state engineer; an Orlando, Fla., Web site for hackers; a Tennessee Internet service; and, finally, to a personal computer in Smith’s apartment in tree-lined Aberdeen Township, an hour outside of New York City.

Smith, described by New Jersey officials only as “a computer guy,” was charged with interfering with public communication, conspiracy and theft of computer service. If convicted, Smith could face as much as $480,000 in fines and 40 years in prison. He was released from Monmouth County jail Friday morning after posting $100,000 bail. New Jersey Atty. Gen. Peter Verniero said a grand jury will hear the case.

Computer security specialists and law enforcement officials, first notified of the virus March 26, launched a multi-pronged attack to track down the culprit.

Richard Smith, president of Cambridge, Mass.-based Phar Lap Software, contributed a piece of the puzzle by finding a unique I.D. number in the virus code that could point to the author of Melissa. Richard Smith recently played a major role in disclosing that Microsoft software imprints an I.D. number on every document created using its software, a practice criticized as a potential invasion of privacy and since stopped.

A Swedish programmer used the I.D. number to identify the author of the code as someone with the online name VicodenES.

At the same time, computer specialists taking apart the Melissa code discovered a tiny message in it thanking “Codebreakers.org.” This turned out to be a Web site hosted by a small Internet service called Global Connection in Kingsport, Tenn., which was commonly used by virus writers to trade code.

Dennis Halsey, vice president of the company, said he had no idea what was being posted on the Codebreakers’ Web site. Global Connection quickly shut down the site. “We hosted the site in total innocence,” he said. “We were kind of in shock when we found out what the site was about.”

Some of the code used to write Melissa had apparently been posted on the site by someone with the nickname VicodenES. Similar code had also been posted at a site called Source of Kaos, hosted by an Internet service called Access Orlando in Florida.

It was a dead end. VicodenES, it turned out, wasn’t the culprit who spread the virus, only the programmer who wrote some of the code, which is not by itself against the law.

Separately, investigators, with the help of anti-virus “sniffing” software, tracked the virus back to its first posting from the America Online account of Scott Steinmetz, a Lynnwood, Wash., civil engineer who describes himself as a computer illiterate. The hacker, it appeared, had hijacked Steinmetz’s AOL account and was using it to send out e-mail.

On Monday, America Online contacted the New Jersey division of criminal justice’s computer analysis and technology unit. America Online declined to comment, but officials in New Jersey said they were able to use information from AOL to track down Smith’s phone number.

On Thursday afternoon, members of the New Jersey State Police and the FBI executed a search warrant on Smith’s apartment, confiscated his computer and, on the basis of what they found, obtained a warrant for Smith’s arrest.

Smith worked as a network programmer for a company that subcontracted for AT&T; Corp., Verniero said.

Verniero praised AOL on Friday “for providing us the initial information.”

Legal experts said that writing a malicious computer program is not in itself illegal, but disseminating one is.

“You can write all you want, just like, within limits, you can use your basement to brew poison,” said Eugene Volokh, an acting law professor at UCLA who specializes in cyberspace issues. “But if you put the poisons in places where it is likely for people to drink it, then you’re liable.”

There has been only one case in which a person has been convicted for spreading a computer virus. Robert Morris, a 22-year-old Cornell University student, wrote a virus similar to Melissa in 1988 that brought down 6,000 computer systems, including those at NASA and the Air Force. He was sentenced to three years’ probation, fined $10,000 and ordered to perform 400 hours of community service after being convicted of violating the federal Computer Fraud and Abuse Act of 1986.

Within three days of its release, the Melissa virus had reached more than 100,000 computers. AT&T; said a third of its 140,000 employees had infected computers, while Network Associates Inc., a seller of anti-virus software, said it had to clean the virus from 60,000 of its computers. Lucent Technologies Inc. and Microsoft Corp. shut down their outgoing Internet e-mail services to keep from spreading the virus.

“This is the fastest proliferating virus we have ever seen,” said Bill Pollak, a spokesman for a Defense Department-sponsored computer security service based in Pittsburgh that has played a leading role in responding to Melissa. In one case, 32,000 copies of the virus reached a single organization in less than an hour, he said.

The Melissa virus comes in the form of a mini-program called a “macro” that was embedded in a Microsoft Word document attached to e-mail that said : “Here is that document you asked for . . . don’t show it to anyone else.”

Once opened, the macro installs itself on the e-mail recipient’s computer and launches a document containing a list of pornographic sites to the first 50 names in the person’s e-mail address book. Macro viruses account for close to half of all active viruses and are most frequently embedded in Microsoft Word and Excel documents.

The virus spreads quickly because, unlike past viruses, the e-mail carrying the virus would typically come from someone the computer user knew.

Security experts said that even if this crime is solved, Melissa could be the beginning of a new wave of viruses.

“This is clearly the first page in a new chapter on viruses,” said Steve White, an anti-virus expert at IBM’s Watson Research Center, noting that viruses that used to take months to spread are now just taking days. “I expect a lot of copycats.”

*

Helm reported from Seattle; Dunn and Gaw reported from Los Angeles.