Examples of Malicious Computer Programs

Copyright 2002 by Ronald B. Standler

Introduction "author did not know" is specious defense Early Examples Brain Virus Lehigh Virus Chrisma Worm Morris Worm MBDF Virus Pathogen Virus Melissa Virus ILOVEYOU Worm Anna Worm Three Worms: CodeRed Sircam Nimda BadTrans.B Worm Klez recent malicious programs Economic Damage Sources of Information Conclusion

Introduction

This essay contains a description of several famous malicious computer programs (e.g., computer viruses and worms) that caused extensive harm, and it reviews the legal consequences of each incident, including the nonexistent or lenient punishment of the program's author.

It is not my intention to provide information on threats by current malicious programs: this essay is only a historical document. (You can find information on current threats at websites operated by vendors of anti-virus software.)

There are three reasons to understand past malicious programs:

Learning how past incidents caused damage may help you protect your computer from future damage. I say may, because new types of threats are continually emerging.
Because the law reacts to past events, learning about past harmful incidents shows us how the law should be corrected to respond appropriately to the new crimes of writing and distributing malicious computer programs.
In May 2002, the Norton Anti-Virus software for Windows operating systems detected about 61000 malicious programs. Astoundingly, there have been criminal prosecutions and convictions of the author(s) of only five malicious programs, all of which are described below:
1. the Morris worm released in 1988,
2. the author and distributors of the MBDF virus,
3. the author of the Pathogen virus,
4. the author of the Melissa virus, and
5. the author of the Anna worm
I hope that when people read this essay and become aware of both the malicious design and great harm caused by computer viruses and worms, readers will urge their legislators:
1. to enact criminal statutes against authors of computer viruses and worms, with punishment to reflect the damage done by those authors, and
2. to allocate more money to the police for finding and arresting the authors of malicious computer programs.

I have not cited a source for each fact mentioned in this essay, because most of these facts have been reported at many different sources, and are well known to computer experts who are familiar with viruses and worms. (I do cite a source for facts that are either not well known or controversial.) Further, this essay is not a formal scholarly document, with numerous citations, but only an informative review intended for attorneys, legislators, the general public, students, businessmen, etc. Some general sources are mentioned later.

Author did not know ....

The most common excuse made by criminal defense attorneys who represent authors of computer worms and viruses is that their client did not know how rapidly the worm or virus would spread. Because this excuse occurs in several of the cases presented below, let's discuss it at the beginning.

Such an excuse might be plausible to someone who had no understanding of the Internet and computer programming. However, it is ridiculous to suggest that a computer programmer who creates a worm is unaware that it will spread rapidly. Students who major in computer science, mathematics, physics, or engineering learn in mathematics classes about geometric series. There is a good reason why mathematics classes are required for science and engineering students: mathematics is really useful for predicting results of experiments that one should not perform.

A good example of a geometric series is the propagation of a computer worm. Consider the following hypothetical example in which each victim's computer provides the addresses of four new victims, and the worm requires one hour to be received by the next wave of victims, to search the next victim's computer and find four new addresses, then to be sent to the four new victims:

time in hours	number of new victims
1	4
2	16
3	64
4	256
5	1024
6	4096
7	16384
8	65536
9	262144
10	1048576

In this hypothetical example, at 24 hours there would be approximately 10¹⁴ new victims, which is a ridiculous extrapolation, because there are only about 10⁹ people on the planet earth. But this example clearly shows the rapid growth of a geometric series and why authors of worms should not be surprised when their worm rapidly gets out-of-control. Seen in this context, the criminal defense attorney's statement that his/her client "did not know ...." is not plausible. Actually, the defense attorney's statement is ludicrous.

Even if one ignores the rapid growth of a geometric series, the historical examples of the rapid propagation of the Chrisma Worm in Dec 1987 and the Morris Worm in Nov 1988 show what happens when worms are released into computer networks. There is absolutely no need for another "experiment" of this kind, as we already know what will happen. (I put "experiment" in quotation marks, because the design and release or a computer virus or worm is a crime, not a legitimate scientific experiment.)

Other examples of specious defenses for writing or releasing malicious programs are contained in my essay on Computer Crime.

Early Examples

Brain virus

The first computer virus for Microsoft DOS was apparently written in 1986 and contains unencrypted text with the name, address, and telephone number of Brain Computer Services, a store in Lahore, Pakistan. This virus infected the boot sector of 5¼ inch floppy diskettes with a 360 kbyte capacity. Robert Slade, an expert on computer viruses, believes the Brain virus was written as a form of advertising for the store in Pakistan.

A variant of the Brain virus was discovered at the University of Delaware in the USA during Oct 1987 where the virus destroyed the ability to read the draft of at least one graduate student's thesis.

Lehigh Virus

In November 1987, a virus was discovered infecting the COMMAND.COM file on DOS diskettes at Lehigh University. When an infected COMMAND.COM had infected four other copies of COMMAND.COM (i.e., when copying to a floppy diskette), the virus wrote over the file allocation table on all disks in the system, destroying the ability to read files from those disks.

Quick intervention at Lehigh University, including overnight development and distribution of a disinfection program, stopped this virus from spreading off campus. The data on approximately 500 computer disks and diskettes at Lehigh University were lost because of this one virus.

To the best of my knowledge, the author of the Lehigh Virus was never identified, so there was no punishment for him.

Christma Worm

A student at a university in Germany created a worm in the REXX language. He released his worm in December 1987 on a network of IBM mainframe computers in Europe.

The worm displayed an image of a conifer tree on the user's monitor, while it searched two files on the user's account to collect e-mail addresses, then automatically sent itself to all of those addresses. (This trick would be used again, on a different operating system, in March 1999 by the Melissa virus.) The Christma worm deleted itself after it functioned once. However, the one copy deleted was replaced by multiple copies sent to everyone with an e-mail address in either the in-box or out-box of the user's account, so the total number of copies continued to increase.

The worm itself was relatively harmless: it neither deleted nor altered the user's computer files. However, the rapid propagation of the worm created a mailstorm in the network of IBM mainframe computers from 9 to 14 Dec 1987.

The author of the Christma worm was identified, by tracing the mail messages back to the original source. His computer account was closed, but I can not find any other punishment for him.

Morris Worm

On 2 November 1988, Robert Tappan Morris, then a first-year graduate student in computer science at Cornell University, released his worm that effectively shut down the Internet for several days.

The Morris Worm used four different ways to get unauthorized access to computers connected to the Internet:

exploit a defect in sendmail when DEBUG was enabled during compile
exploit a defect in fingerd buffer overflow
trusted hosts feature that allows use without a password (rexec, rsh)
an algorithm that tried 432 common passwords, plus variations on the user's name, and then /usr/dict/words/.

The worm only infected SUN-3 and Digital Equipment Corp. VAX computers running versions of the Berkeley UNIX operating system.

The Morris Worm succeeded in infecting approximately 3000 computers, which was about 5% of the Internet at that time. Among the affected computers were those at the University of California at Berkeley, MIT, Stanford, Princeton , Purdue, Harvard, Dartmouth, University of Maryland, University of Utah, Georgia Institute of Technology, and many other universities, as well as computers at military and government laboratories.

When Morris understood that his worm was propagating faster than he had expected, he called a friend at Harvard University. The friend then sent the following anonymous message with a false source address to the TCP-IP mailing list via the Internet:: A possible virus report:
There may be a virus loose on the internet.
Here is the gist of a message I got:
I'm sorry.
Here are some steps to prevent further transmission:
[three terse suggestions for how to stop the worm omitted here]
Hope this helps, but more, I hope it is a hoax.
However, because the Internet was already clogged with copies of his worm or because computers were disconnected from the Internet to avoid infection by the Morris Worm, the message did not arrive until after system administrators had devised their own techniques for removing the worm. Further, the anonymous source, and also the tentative tone (i.e., "possible virus report", "may be a virus loose", "I hope it is a hoax."), make this message much less helpful than it could have been. If Morris had really been innocent, he could have faxed the source code for his worm to system administrators at University of California at Berkeley, MIT, Purdue, University of Utah, etc. who were trying to decompile the worm and understand it. And Morris could have given system administrators authoritative suggestions for how to stop his worm.

Morris apparently never personally explained his intentions or motives in designing and releasing his worm. Some of his defenders have said that Morris did not intend the consequences of his worm. A Cornell University Report by Ted Eisenberg, et al. at pages 17, 27 and especially at Appendix 8, [bibliographic citation below], mentions comment lines by Morris in his 15 Oct 1988 source code that say:

"the goal is to infect about 3 machines per ethernet."
"2) methods of breaking into other systems."
"10) source code, shell script, or binary-only? latter makes it harder to crack once found, but less portable"
"hitting another system:
1) rsh from local host, maybe after breaking a local password and ....
2) steal his password file, break a password, and rexec."

Such comments appear as clear indications of criminal intent by Morris. In a 17 Oct 1994 UseNet posting, Prof. Spafford at Purdue, who has also actually seen the worm's source code at Cornell that was written by Morris (including the comment lines by Morris that are not present in the decompiled versions), said:

The comments in the original code strongly suggested that Robert intended it to behave the way it did – no accidents involved.

Morris was the first person to be arrested, tried, and convicted for writing and releasing a malicious computer program. He was found guilty on 22 Jan 1990 and appealed, but the U.S. Court of Appeals upheld the trial court's decision. The U.S. Supreme Court refused to hear an appeal from Morris.
U.S. v. Morris, 928 F.2d 504, 506 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991).

The Court of Appeals noted that: "Morris released the worm from a computer at the Massachusetts Institute of Technology [MIT]. MIT was selected to disguise the fact that the worm came from Morris at Cornell." Id. at 506. The Court of Appeals also noted that the cost of removing the worm from each installation on the Internet was estimated to be "from $ 200 to more than $ 53000." Id.

There are no precise figures on the amount of damage that Morris did, but a widely quoted estimate by Clifford Stoll at Harvard is that the total cost of dealing with the Morris Worm is somewhere between US$ 10⁵ and US$ 10⁷.

Despite the severity of this damage, Morris was sentenced in May 1990 to a mere:

three years of probation,
400 hours of community service,
a fine of US$ 10050,
the US$ 3276 cost of his supervision during probation, but
no incarceration in prison.

In addition to this legal punishment, Cornell University suspended him from the University for at least one year. When Morris applied for re-admission a few years later, Cornell refused to accept him. Morris earned his Ph.D. at Harvard University in 1999.

Bibliography on the Morris Worm

There are a number of technical publications that discuss the Morris worm and its effect on computers that constituted the Internet:

Peter J. Denning, editor, Computers Under Attack, Addison-Wesley, 1990. A collection of reprinted articles from computer science journals, which has about 90 pages on the Morris Worm.
Mark Eichin and Jon Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988, Feb 1989. Available from the MIT website and published in various places.
Ted Eisenberg, David Gries, Juris Hartmanis, Don Holcomb, M. Stuart Lynn, and Thomas Santoro, The Computer Worm, A Report to the Provost of Cornell University on an Investigation Conducted by The Commission of Preliminary Enquiry, 45 pp., 6 Feb 1989. Available from the Office of Information Technologies at Cornell University.
Bob Page, A Report on the Internet Worm, University of Lowell, 5 pp., 7 Nov 1988. Available from a website in Canada and also from Purdue.
Donn Seeley, A Tour of the Worm, Computer Science Department, University of Utah, 18 pp., 1988. Available from Francis Litterio's website.
Eugene H. Spafford, The Internet Worm Program: An Analysis Technical Report CSD-TR-823, Purdue University, 41 pp., 8 Dec 1988. Available from Purdue University.
Eugene H. Spafford, The Internet Worm Incident, Technical Report CSD-TR-933, Purdue University, 18 pp., 19 Sep 1991. Available from Purdue University. (I recommend this report as the best place to start reading about the effect of the worm on the Internet and ethical issues.)
The June 1989 issue (Vol. 32, Nr. 6) of Communications of the ACM, a major journal for professional computer programmers, contains several articles concerning the Morris Worm.

I have posted the unpublished Judgment of the trial court in U.S. v. Robert Tappan Morris, as well as the opinion of the appellate court that was published at 928 F.2d. 504.

MBDF Virus

In 1992, four undergraduate students at Cornell University created and released the MBDF virus, which attacks Apple Macintosh computers. This virus was released in three shareware programs:

Obnoxious Tetris, a computer game,
Ten Tile Puzzle, a computer game, and
Tetriscycle, a Trojan Horse program that contained an encrypted copy of the MBDF virus.

David S. Blumenthal wrote the virus and inserted it in the three programs. Blumenthal also created an anonymous account on a Cornell computer, so that apparently untraceable file transfers could be made. Mark A. Pilgrim used this anonymous account on 14 Feb 1992 to upload the three programs to an Internet archive at Stanford University.

The initial victims downloaded the programs from Stanford and infected their computers. As these victims shared their infected files with other users, they unwittingly spread the virus to additional victims.

The MBDF virus was a relatively benign program that did not directly harm the victim's data files. However, this virus could cause harm in three different ways:

The virus caused some programs to crash when the user selected an item from the menu bar.
The CIAC reported on 25 February 1992: "When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occurring, the entire system file will be corrupted and an entire reload of system software must then be performed."
The virus took several seconds to infect each program file on the victim's computer, and, during those several seconds, the display would freeze. If the victim rebooted the computer during those several seconds, application files on the computer could become corrupted.

To recover from such problems, the victim first needed to run anti-virus software to delete the MBDF virus, then any corrupted files (e.g., either applications software or the operating system itself) would need to be re-installed. Depending on the skill of the victim in identifying which files were damaged, the recovery process could take hours or days.

Compared with other malicious programs, the damage from the MBDF virus was relatively small. The only reason that I mention the MBDF virus in this essay is that it is one of a very few cases in which the author and distributors of a malicious program were arrested and punished for their crime.

The MBDF virus was first discovered in the wild by a professor of mathematics in Wales, who sent it to John Norstad, the author of a now-discontinued anti-virus program for the Macintosh. Experts in computer security at several universities promptly traced the origin of the MBDF virus to Cornell University.

Blumenthal and Pilgrim were arrested and put in jail on 24 February, just ten days after the MBDF virus was first released. They were arraigned in a New York state court on charges of second-degree computer tampering, a misdemeanor. They each posted $2000 cash bail and were released from jail. Pilgrim cooperated with the police, told them the details of what had happened, and incriminated Blumenthal.

As reports of infected computers were received from all over the USA, Japan, Europe, Australia, and Canada, the district attorney contemplated increasing the charges to a felony, because he could prove a larger harm than what had initially been apparent.

During grand jury proceedings in June 1992, two other Cornell students were revealed to have played a role in the distribution of the MBDF virus to various computer bulletin boards. One of them was granted immunity from criminal prosecution in exchange for his testimony. The other, who will be identified here by the fictitious name Doe, was indicted along with Blumenthal and Pilgrim, but Doe later had his record expunged.

On 16 June 1992, a 17-count indictment was issued against Blumenthal, Pilgrim, and Doe. The indictment included four counts of first-degree computer tampering (a felony), and also seven counts of attempted computer tampering (a misdemeanor), plus one count of second-degree attempted computer tampering. In addition, Blumenthal alone was charged with felony counts of forgery and falsifying business records, for his creation of the anonymous computer account at Cornell University. I obtained a photocopy of the indictment from the Tompkins County Court and posted it here.

On 4 September 1992, Blumenthal and Pilgrim each pled guilty to one count of second-degree computer tampering, a misdemeanor, in exchange for the dismissal of all other charges and neither prison nor fines. On 5 October 1992, Blumenthal and Pilgrim were each sentenced to:

pay restitution (a total of $ 6000 to Cornell University, $ 1300 to a victim in New York City, and $ 65 to a victim in California);
each would provide 520 hours of community service, which they fulfilled by writing software for a handicapped person in Tennessee;
forfeit their personal computers; and
be on probation.

The court clerk has informed me that there is no written Judgment filed for either Blumenthal or Pilgrim. Doe pled guilty to disorderly conduct and later had his record expunged, so there is no record of Doe's sentence.

Additionally, each of the four students was either expelled or suspended from Cornell University for at least one year.

Cornell University, whose reputation had been besmirched by the Morris Worm in November 1988, found itself in 1992 portrayed by journalists as a breeding ground for malicious computer programs. University administrators must be ready to deal with both the legal and public relations aspects of arrests of students for creating malicious computer programs.

The best source of information that I have found on the obscure MBDF virus case is the archives of The Post-Standard newspaper in Syracuse, NY.

Pathogen Virus

In April 1994, the Pathogen computer virus was released in the United Kingdom, by uploading an infected file to a computer bulletin board, where victims could download a copy of the file.

The Pathogen virus counted the number of executable (e.g., *.EXE and *.COM) files that it infected. When the virus had infected 32 files, and an infected file was executed between 17:00 and 18:00 on a Monday:

the keyboard is disabled
data in the first 256 cylinders of the hard disk drive are corrupted
displays a message on the CRT that includes: "I'll be back for breakfast..... Unfortunately some of your data won't!!!!!"

The Pathogen virus contained a second virus, Smeg, which hid Pathogen from anti-virus software.

What makes the Pathogen virus worth including here is that its author is one of the very few authors of malicious computer programs who were arrested and convicted.

Pathogen Perpetrator

The author of Pathogen was Christopher Pile (aka "Black Baron") a 26-year-old unemployed computer programmer who lived in Devon, United Kingdom. At his trial on 26 May 1995, Pile pled guilty to:

five counts of unauthorized access to computers to facilitate crime
five counts of unauthorized modifications of computer software
one count of inciting others to spread computer viruses that he wrote.

These charges were the result of his development and release of the Pathogen and Queeg viruses (both also containing the Smeg virus) in 1993 and continuing up to April 1994.

The prosecutor claimed that one unnamed victim had suffered damage in the amount of a half a million pounds (approximately US$ 800,000) from Pile's viruses.

On 15 November 1995, a judge sentenced Pile to 18 months in prison. The judge declared: "Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment."

Pile's punishment was more severe than other criminals who have written and released malicious programs. Other viruses and worms have been much more widespread, and caused much more damage, but their authors have generally been able to avoid prison (e.g., Morris and de Wit) or received a sentence not much longer than Pile's (e.g., the author of the Melissa virus spent 20 months in prison, despite having done at least a hundred times more damage than Pile).

Melissa Virus

The Melissa virus was released on 26 March 1999 and was designed to infect macros in wordprocessing documents used by the Microsoft Word 97 and Word 2000 programs. Macro viruses were not new, they had been known since 1995.

The innovative feature of the Melissa virus was that it propagated by e-mailing itself to the first fifty addresses in the Microsoft Outlook e-mail program's address book. This feature allowed the Melissa virus to propagate faster than any previous virus. The virus arrived at each new victim's computer disguised as e-mail from someone who they knew, and presumedly trusted. (About 11 years earlier, the Christma Worm automatically sent itself to everyone in a victim's e-mail address book on an IBM mainframe computer.)

The Melissa virus propagated in two different ways:

On PCs running the Microsoft Outlook 97 or 98 e-mail program, the Melissa virus used the Outlook program to send an e-mail containing an attachment, with a filename like list.doc. This file contained a Microsoft Word document with a macro, and a copy of the Melissa virus was inside the macro.

When this e-mail was received by someone who had Microsoft Word on his/her computer (even if their computer was an Apple Macintosh), and the recipient clicked on the attachment, the document would open and the Melissa virus would automatically infect Word's normal.dot template file, thus infecting the recipient's computer.

While Microsoft Outlook was necessary for the automatic sending of infected documents, the recipient of such e-mail could be infected even if the recipient used a non-Microsoft e-mail program.
Infected Microsoft Word documents could be transmitted by floppy disks, usual e-mail sent by victim, etc. When such infected documents were opened in Microsoft Word, the Melissa virus would automatically infect Word's normal.dot template file, thus infecting the recipient's computer.

Many documents about the Melissa virus claim this virus was "relatively harmless" or "benign". That claim is not true. There were a number of distinctly different harms caused by Melissa:

Documents in Microsoft Word format were automatically sent, using Microsoft Outlook, to fifty people by the Melissa virus. Such automatic transmission could release confidential information from the victim's computer.
When the day number equals the number of minutes in the current time (e.g., at 11:06 on the 6^th day of the month), the Melissa virus inserted the following text in whatever document was then being edited in Word on the victim's computer:

Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.
Such an insertion was a deliberate modification of data files on the victim's hard drive, an unauthorized tampering with the victim's document files.
Future victims were most commonly infected by opening an attachment in an e-mail from someone who they knew, and presumedly trusted. Until the workings of the Melissa virus were understood by all the victims, trusted relationships between people could be harmed by this unauthorized sending of e-mail.
As with any rapidly propagating virus or worm, e-mail can be delayed, which sometimes has economic consequences (e.g., lost productivity).
And, as with all viruses and worms, there was the cost of removing the infection and restoring the computer to normal.

The fact that the Melissa virus could have been more destructive (e.g., by deleting data files from the victim's computer) is hardly praise for the author of the Melissa virus.

For more technical details on Melissa, see the CERT advisory and the F-Secure description.

Finally, using an Apple Macintosh gives one immunity from most computer viruses and worms. However, Apple computer users who also use Microsoft Word 97 or later are vulnerable to the same macro viruses that plague Word users on Microsoft Windows 95 or later. However, the Melissa virus can not automatically transmit itself by e-mail from a computer that uses the Macintosh operating system.

Melissa Perpetrator

The Melissa virus was written by David Lee Smith and first released on 26 March 1999 as an attachment to his posting to an alt.sex newsgroup. That posting said the attachment contained a list of passwords for pornographic websites, but the attachment actually contained his virus. Smith named his virus "Melissa" after a topless dancer in Florida, who Smith knew.

It is obvious that Smith knew what he was doing was wrong, because he used a stolen AOL account and password to make the initial release to the alt.sex newsgroup. Before his arrest, Smith discarded the hard drives that were used to create his virus at his home in New Jersey, then he hid at his brother's house, where David Lee Smith was arrested.

Smith was arrested on 1 April 1999. The CNN news report shows the police mugshot of Smith, with a smirking expression. He was charged in federal court with violations of 18 USC § 1030(a)(5)(A) and in New Jersey state court with violations of NJSA 2C:20-25(a) and 2C:20-26(a).

Smith was fired from his job doing computer programming from AT&T. He subsequently worked as a computer technician at Rutgers University after his arrest. (Rutgers did not know that Smith had been arrested for this crime.) Smith voluntarily quit his job at Rutgers six days before he pled guilty.

On 9 Dec 1999, Smith pled guilty in federal court. The plea agreement between prosecutors and Smith had the following features:

Smith would cooperate with authorities in thwarting other creators of malicious computer programs.
It would be stipulated that the Melissa virus did "more than eighty million dollars of damage". (The actual amount was much, much higher – one estimate was US$ 1100 million. However, the stipulation became a "fact" accepted in court for the purposes of determining Smith's sentence.)
Any state and federal prison sentences would run concurrently, and end at the same time.

On 1 May 2002, a judge in federal court imposed the following sentence on Smith:

20 months in federal prison,
36 months of "supervised release" (i.e., probation) after his prison term ends, during which time he can access the Internet only with the permission of his probation officer,
fined US$ 5100, and
ordered to serve 100 hours of "community service" work in the "technological field", perhaps giving lectures in schools about the harmfulness of computer viruses.

Apparently, the 29-month interval between Smith's guilty plea and his sentencing (an unusually long interval) was the result of his cooperation with authorities in investigating other malicious computer programs. The authorities did not reveal any details of the cooperation, so it is not possible to know what the government got in exchange for more than halving Smith's prison sentence.

On 3 May 2002, a judge in New Jersey state court imposed the following sentence on Smith:

the maximum allowable sentence of ten years in state prison. However, because of his plea agreement, Smith would serve only the 20 months in federal prison and then be a free man.
fined US$ 2500.

Some documents in Smith's case have been posted on the Internet:

Information filed by the U.S. Attorney for the District of New Jersey, charging David Lee Smith with violation of 18 USC § 1030(a)(5)(A).
Letter of 8 Dec 1999 from the U.S. Attorney for New Jersey to the attorney representing David Smith, offering a plea agreement.
DoJ press release about Smith's guilty plea.
Judgment issued by Judge Greenaway on 1 May 2002.
U.S. Attorney's 1 May 2002 press release about Smith's sentence. Another copy is at the DoJ website.

weak punishment

If one accepts the legal stipulation that the Melissa virus did US$ 8 × 10⁷ in damage, and one considers Smith in prison to lose 16 hours/day of freedom (who cares where he sleeps for 8 hours/day?) for 20 months, then the effective value of Smith's time in prison is US$ 8330/hour. That is a ridiculously high value for Smith's time.

The prosecutors ignored that Smith's virus fraudulently sent e-mails from each victim's computer to new victims who were in previous victim's e-mail address book. The new victims opened the attachment in e-mail apparently from someone who they knew, and presumedly trusted, and were infected with a copy of Smith's virus. I believe society should express outrage at this kind of fraud.

ILOVEYOU Worm

The ILOVEYOU worm was first reported in Hong Kong on 4 May 2000 and spread westward on that day. The ILOVEYOU worm affected computers at more than half of the companies in the USA and more than 10⁵ mail servers in Europe. Internal e-mail systems at both the U.S. Senate and Britain's House of Commons were shut down. It was estimated that the ILOVEYOU worm did more damage than any other malicious program in the history of computing: approximately US$ 9 × 10⁹. On 4 May 2000, MessageLabs filtered ILOVEYOU from one in every 28 e-mails, the all-time highest daily infection rate seen by MessageLabs.

The ILOVEYOU incident was commonly reported as a virus in the news media, but it was actually a worm, because this malicious program did not infect other programs. I call this worm by the subject line of e-mail that propagated this worm. Norton Anti-Virus calls it VBS.Loveletter.A.

The ILOVEYOU worm arrived at the victim's computer in the form of e-mail with the ILOVEYOU subject line and an attachment. The e-mail itself was innocuous, but when the user clicked on the attachment to read the alleged love letter, LOVE-LETTER-FOR-YOU.TXT.VBS, the attachment was a Visual Basic program that performed a horrible sequence of bad things:

deletion of files from victim's hard disk
The worm overwrote files from the victims' hard disk drive, specifically targeting files with extensions:
- *.JPG, *.GIF, and *.WAV, amongst many others (i.e., files containing audio/visual data),
- *.CSS (i.e., cascading style sheets called by HTML 4.0 documents).
- some later versions deleted *.COM or *.EXE files, which prevented the computer from starting when rebooted.
- some later versions deleted *.INI files.
The worm overwrote a copy of itself to a file with the name of the original file, appending the extension *.VBS, so the total number of files on the victim's hard disk would be unchanged and the damage more difficult to immediately detect. Further, if a victim clicked on one of these files, the ILOVEYOU worm would be activated again on that one victim.

By overwriting files, instead of merely deleting files, the worm made it much more difficult (perhaps impossible) to recover the original file on the victim's hard drive. For example, if the worm had merely deleted files, then the victim could restore the files from the Recycle Bin or Trash Can.

In addition, the worm marked files of type *.MP3 as hidden, so they would no longer appear in directory listings, then copied the worm to new files *.MP3.VBS.
password theft
The attachment LOVE-LETTER-FOR-YOU.TXT.VBS automatically set the Microsoft Internet Explorer start page to a URL at a web server in the Philippines, which would download WIN-BUGSFIX.EXE to the victim's machine.

The worm then set the victim's machine to run WIN-BUGSFIX.EXE the next time the victim's machine was booted.

WIN-BUGSFIX.EXE was a Trojan Horse program that collected usernames and passwords from the victim's hard drive and e-mailed them to an address in the Philippines, mailme@super.net.ph. (That was a really stupid feature, since law enforcement agents, within 12 hours of the initial release of the worm, identified the person who owned that e-mail address.) Furthermore, there was a copyright notice in the Trojan Horse's code!

An Internet Service Provider in Europe alerted the web server in the Philippines at 08:30 GMT on Thursday, 4 May 2000, and WIN-BUGSFIX.EXE was removed from the website, which prevented most of the harm in Europe and the USA from this password-collecting program. Later, the web server in the Philippines was overwhelmed (i.e., a kind of a denial of service attack) with requests from the worm for WIN-BUGSFIX.EXE.

This Trojan Horse program had been previously submitted as a thesis proposal at a computer college in the Philippines. The proposal was rejected with handwritten comments "This is illegal." and "We don't produce burglars." The student then dropped out of the college without earning a degree. A copy of the student's rejected thesis proposal is posted at Richard M. Smith's website.
worm propagates
The worm transmitted itself using features of the earlier Melissa program: scanning the address book in Microsoft Outlook, and then transmitted a copy of the ILOVEYOU e-mail to all of those e-mail addresses. This method of transmission rapidly disseminated the worm to millions of victims. In comparison, Melissa sent copies to only the first 50 entries in the Microsoft Outlook address book, while ILOVEYOU sent copies to every address in the that victims' book.

The worm also sent copies to other people on the same Internet Relay Chat channel that the victim was using.

copycat versions of the ILOVEYOU worm

The first copycat version appeared on Thursday afternoon with a subject line fwd:joke and an attachment veryfunny.vbs.

Another copycat version appeared on Sunday with a subject line Dangerous Virus Warning and an attachment virus_warning.jpg.vbs. Anyone who clicked on the attachment to read the warning would activate the worm on their machine and become a victim. The deception in this subject and e-mail message may be particularly horrifying to a naive person, but one must not expect computer criminals to be honest and sincere. It's a sad fact of life that people without a healthy amount of skepticism and cynicism will become victims of crimes.

Just five days after the initial release of the ILOVEYOU worm, Norton AntiVirus had identified 29 different versions of the worm. It takes minimal skill to slightly modify a version of a worm and release the new version, which is one reason there are so many copycat versions. Some of the copycat versions were more destructive than the original, as these copycat versions overwrote files of types *.COM, *.EXE, and *.INI, which destroyed the user's operating system.

ILOVEYOU Perpetrator

Police in the Philippines knew the name and location of the suspect within 12 hours of the initial release of the worm, but the police were hampered by the lack of laws there for computer crimes. The closest relevant Philippine law was designed to cover credit card or bank account fraud, but was broad enough to cover unauthorized taking of goods and services. However, the police were not able to find sufficient evidence for prosecutors to apply this fraud statute. On 7 June 2000, police and prosecutors in the Philippines closed their investigation of the ILOVEYOU worm, because the creation and release of this worm was not a crime in the Philippines. On 21 August 2000, prosecutors dropped all charges against the people who apparently designed and released the ILOVEYOU worm.

Partly as a result of inadequate law in the Philippines, just five days after the initial release of the virus there was active discussion of extraditing the suspect to a developed country where harm occurred and where the laws were adequate to punish the perpetrator. However, extradition laws only allow extradition in cases where the offense was a crime in both the suspect's home country and in the country to which extradition is sought, so extradition from the Philippines was not possible.

This example shows the international nature of computer crime: a criminal in one country can rapidly cause havoc all over the world, using the international reach of the Internet. In contrast, a criminal who physically moves from one country to the next would need to pass though immigration and customs controls at each border, as well as become subject to personal jurisdiction in each country.

On 11 May 2000, one week after the initial release of the worm, the author's attorney said that his client did not realize how rapidly the worm would propagate. Sorry, that's not plausible; see my remarks above.

One week after the initial release of the worm, the author's attorney said that the worm had been "accidentally" released. This excuse is too easy. There is no acceptable reason to create such malicious software: remember that the program overwrote files on the victim's disk drive, the overwriting had absolutely no benefit to the author of the program, except for glee at hurting other people. There is no rational reason to write a program that one intends never to use. And, if one writes such a destructive program, then one must use extraordinary care (i.e., the same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make certain that the program is never released. Society ought to demand that those who release malicious programs, even if the release is an "accident", be held legally responsible for the damage caused by the malicious programs.

The author of the password-stealing Trojan Horse had attempted to justify his program because Internet access in the Philippines was expensive (e.g., US$ 2.50/hour with no "unlimited use" plans available), therefore he sought to use victim's accounts for free. This is simply theft of services.

Anna Worm

On 11 Feb 2001, a malicious program was released that was contained in an attachment to e-mail. The attachment purported to be a picture of a 19-year-old Russian tennis player, Anna Kournikova, but the attachment was actually a computer worm. The attachment had the file name AnnaKournikova.jpg.vbs

The file type .jpg is commonly used for graphic images, such as photographs. However, the real file type was .vbs, which is an executable file, a computer program written in Microsoft Visual Basic Script.

This malicious program is often known by the last name of the innocent tennis player. I have chosen to refer to this malicious program by her first name, Anna, to avoid associating the tennis player with this malicious program. Norton Anti-Virus calls this worm VBS.SST@mm. F-Secure calls this worm OnTheFly after the pseudonym of its author.

The Anna worm did the following two things on a victim's computer:

sends one copy of the worm to each e-mail address in the victim's Microsoft Outlook address book.
on 26 Jan of each year, it displays the homepage of an innocent computer store on the victim's web browser.

The Anna worm does not have any novel technical features. I mention the Anna worm here only because it is one of the very few cases in which the author was arrested and punished.

The Anna worm rapidly spread amongst computers, particularly in North America, on 12-13 Feb 2001. While the Anna worm was relatively benign (e.g., it did not damage any files on the victim's computer), it still caused harm by clogging the Internet with many copies of itself and by requiring each victim to remove it from his/her computer.

Perpetrator of Anna Worm

The author, Jan de Wit, was a 20-year-old man who lived in Friesland in the Netherlands. He downloaded a tool from the Internet for creating malicious programs and wrote this worm in just a few hours.

An Internet website purporting to be by the author of the Anna worm said "It's their own fault they got infected." (See, for example wired.com and cnet.com.) I have two comments:

It is true that the victim was infected when he/she clicked on the attachment in e-mail that purported to be a photograph, but was actually a worm. But the author of the Anna worm ignores the fact that the worm was deceptively, or fraudulently, presented as a photograph. I would be more willing to accept the author's blame-the-victim statement about the worm had it arrived in an e-mail that said "Click here to receive a computer virus." But, of course, no criminal would be so honest.
Blaming the victim for the harm caused by a crime is repugnant. Can you imagine someone accused of homicide saying that he only perpetrated an assault/battery, because the victim would not have died if the victim had worn a bullet-proof vest. Thus the homicide is the victim's fault, for recklessly not wearing body armor!

The anti-virus software company F-Secure in Finland identified the author of the Anna worm to police in the Netherlands.

On 14 Feb 2001, after his worm spread worldwide and caused considerable inconvenience, Jan de Wit surrendered to police in the Netherlands.

On 27 Sep 2001, a Dutch court sentenced de Wit to a mere 150 hours of community service. This sentence was light, because prosecutors had difficulty in finding admissible evidence about the cost of removing the Anna worm from computers. Businesses were reluctant to admit that their computers were infected with a worm.

On 16 Oct 2001, de Wit appealed this sentence as too harsh.

three worms: CodeRed, Sircam, Nimda

The year 2001 saw the introduction of many serious malicious programs: CodeRed, Sircam, Nimda, BadTrans.B, and Klez. I treat the first three tersely in the following sections.

CodeRed

The initial CodeRed worm was discovered on 16 July 2001. CodeRed targeted webservers, not computers of users. This worm was propagated as an http get request, i.e. a request to get a webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating systems allowed the worm to infect that server.

An interesting feature of CodeRed is that it does not reside in any file on the hard disk, but only exists in semiconductor memory (RAM): this feature allows CodeRed to escape detection by a scan of the hard disk with anti-virus software. Switching the infected computer off, then on, will remove the infection, but webservers normally run continually (i.e., 24 hours/day, 7 days/week), unlike computers in homes and offices that may be rebooted daily.

The CodeRed worm did different things depending on the day of the month. Most versions of CodeRed used the following schedule:

During the first 19 days of each month, the CodeRed worm sent out many http get requests to random IP addresses (i.e., websites and Internet users), seeking webservers to infect. This feature of CodeRed is essentially a port probe, looking for webservers running Windows NT 4.0 or Windows 2000 operating systems. The large number of bogus requests from CodeRed could mimic a denial-of-service attack on a webserver.
During days 20 to 28 of each month, another feature of CodeRed makes a denial-of-service attack on the IP address that then corresponded to www.whitehouse.gov. The IP address of the U.S. President's website was changed to defeat CodeRed.
After the 28^th day of the month, CodeRed goes into a sleep state until the next month, although the server is still infected.
Under certain circumstances, one early version of CodeRed running on a webserver that uses the English language will intercept requests for a webpage and return its own HTML code:

Welcome to http:// www.worm.com ! Hacked by Chinese!
After 10 hours, CodeRed again returns the proper requested webpage. The temporary unavailability of some webpages will cause concern to webmasters, then the problem will "magically" disappear, frustrating operators of webservers who are trying to find the problem.

A CERT advisory showed that CodeRed infected 2.0 × 10⁵ computers in just five hours on 19 July 2001, which was a rapid rate of infection and a good example of geometric series mentioned earlier in this essay. CERT said that "at least 280000 hosts were compromised in the first wave" of attacks on 19 July 2001.

CodeRed II

A new version of CodeRed appeared on 4 August 2001, called CodeRed II. The important new feature of CodeRed II is the installation of a Trojan Horse program, which creates a backdoor into the infected webserver. After this backdoor is installed, any web surfer can send commands by using any web browser. Such commands could, for example, delete files from the webserver, or upload new files to the webserver. The Trojan Horse also disables the system file checker function in Windows, so that the modified operating system files can not be detected.

Whoever wrote CodeRed II did not like the Chinese, as that variant is designed to propagate faster, and for a longer time, in webservers that use the Chinese language.

Perpetrator of CodeRed

To the best of my knowledge, the author of the CodeRed worm was never identified, so there can be no legal consequences for him.

Sircam

The initial Sircam worm was discovered on 17 July 2001, about the same time as CodeRed first appeared.

The worm arrived at a victim's computer in e-mail with the following text:

Hi! How are you?
[second line: one of four choices below]
See you later. Thanks

There are four different versions of the second line of the e-mail text:

I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

Clicking on the attached file infects the victim with the Sircam worm.
Note: the text of e-mail containing malicious programs often contains ungrammatical text, punctuation errors (e.g., the missing periods in Sircam's text), or misspelled words, because the author is a non-native speaker of English. Such mistakes in English text in an e-mail apparently from an English-speaking country should alert the reader to the possibility of e-mail from a forged address.

The Sircam worm inflicts several harms on the victim:

a 2% chance that the file c:\recycled\sircam.sys will be created, then text is repeatedly added to this file until there is no more free space on the C: hard disk drive.
on computers using the day/month/year date format and when the date is 16 October, there is a 5% chance that Sircam will delete all files and delete all directories on the C: hard disk drive.
Sircam automatically sends copies of itself with the victim's e-mail address as the From: address. If Sircam can not find the victim's e-mail address, then Sircam will forge a From: address from the current username and one of four mail servers (e.g., @prodigy.net.mx).

The To: addresses are harvested from the Windows Address Book and also from e-mail addresses found in the web browser cache files.

The text of the e-mail was mentioned above.

The e-mail has one attachment which contains a copy of the Sircam worm followed by the contents of a file with file type .doc or .zip from the My Documents folder on the victim's computer. This document could contain the victim's confidential information, which is then sent to numerous addresses.

The name of the attachment had a double file extension, which like Melissa and Anna above, is symptomatic of a malicious attachment. The filename and left extension of the attachment was identical to the copied file from the victim's machine, Sircam then added a second file extension: either .com, .bat, .exe, .pif, or .lnk, which made the attachment an executable file type.
Sircam uses its own internal mail program, so that copies of outgoing e-mail do not appear in the user's e-mail program's out-box. Thus the user does not know his/her computer is mailing copies of the Sircam worm to other people.
The Sircam worm has a length of 137216 bytes. The additional space required by the document from the victim's computer makes the attachment even larger, perhaps more than 200000 bytes, which is larger than most webpages and most e-mail messages. This large file size helps Sircam clog the Internet.

Several anti-virus websites note that there is a bug in the Sircam worm that makes it "highly unlikely" that the disk-space-filling and file-deleting will occur. However, the author of Sircam apparently intended those harms to occur.

Perpetrator of SirCam

To the best of my knowledge, the author of the SirCam worm was never identified, so there can be no legal consequences for him. A copyright notice in the Sircam code says that this worm was made in Mexico, but I have seen no confirmation that this statement is correct.

The anti-virus software vendor Trend Micro reported on 10 May 2002 that a total of 1.0 × 10⁶ computers worldwide had been infected with Sircam. The anti-virus software vendors Sophos and Computer Associates both reported SirCam as the second most prevalent malicious program infecting computers in the year 2001: SirCam accounted for 20% of the reports to Sophos in 2001. On 17 May 2002, MessageLabs reported SirCam as the all-time most prevalent malicious program in e-mail.

Nimda

The Nimda worm was discovered on 18 September 2001 and it spread rapidly on the Internet.

Nimda had two novel features:

Nimda could infect a computer when the user read or previewed an e-mail that contained a copy of Nimda. With all previous viruses or worms transmitted by e-mail, the user would need to click on an attachment to infect the user's computer.
Nimda could modify webpages on a webserver, so that accessing those webpages could download a copy of Nimda to the browser's computer.

These two novel features represented a significant "advance" in ability to harm victims.

The first novel feature of Nimda exploited a defect in Microsoft Internet Explorer 5.01 and 5.5. A patch that repairs this defect had been available from the Microsoft website since 29 March 2001, but most computer users do not bother to install the latest updates. Why did a defect in a web browser cause a vulnerability to worms sent by e-mail? Most modern e-mail is sent in HTML format, the same format used by webpages, and e-mail software (e.g., Microsoft Outlook) uses Internet Explorer web browser to display such e-mail. This vulnerability could be avoided by (1) selecting either Netscape Navigator or Opera as the default browser and (2) using a non-Microsoft e-mail program, such as Eudora.

The Nimda worm propagates in several different ways:

Like the CodeRed worm, every copy of Nimda generates many random IP addresses to target http get requests, i.e. a request to get a webpage from a server. If the server was running Microsoft Windows NT 4.0 or Windows 2000 operating systems, a defect in those operating systems allowed the worm to infect that server.

The name of the Nimda worm is a reversal of the computer term admin (administrator), which designates a user with the privilege of modifying system files. By exploiting a defect in Windows, the Nimda worm is able to act as an administrator.
Once a webserver was infected by Nimda, the worm adds a small amount of Javascript code to webpages on that server with filenames:
index, default, or readme
and extensions:
.html, .htm, or .asp.

Nimda also creates a copy of itself in a file, readme.eml, on an infected webserver.

Depending on the settings on the user's computer regarding Javascript, when the user accessed one of these altered webpages, the user's web browser might:
- automatically download readme.eml and execute the Nimda worm, thus infecting the user's computer,
- display a prompt to ask whether the user wanted to download the file readme.eml, or
- automatically refuse to download the file.
Once every ten days, Nimda searches the hard drive of an infected computer to harvest e-mail addresses from the following sources:
- in-boxes for the user's e-mail program (e.g., Microsoft Outlook)
- *.HTML and *.HTM files in the user's web browser cache (also called the Temporary Internet Files folder).
After harvesting e-mail addresses, Nimda selects one of these addresses as the From: address and the remainder as To: addresses, and sends copies of Nimda in an apparently blank e-mail.

Note that the infected computer is not used as the From: address, so there is no easy way for the recipient of e-mail to determine whose computer sent the copy of Nimda.

Nimda (like Sircam) uses its own internal mail program, so that copies of outgoing e-mail do not appear in the user's e-mail program's out-box. Thus the user does not know his/her computer is mailing copies of the Nimda worm to other people.

As mentioned above, Nimda can infect the recipient's machine when the recipient either reads or previews the e-mail, without needing to click on an attachment.
Nimda adds a copy of itself to the beginning of *.EXE files. Such executable files are sometimes transferred to other computers, which will spread the Nimda infection.

On 11 Oct 2001, hundreds of e-mails containing Nimda were sent with forged From: addresses that appeared to originate from the manager of anti-virus research at F-Secure in Finland. Such forged source addresses, whether a deliberate act or whether a random occurrence caused by execution of a malicious program, damages the reputation of innocent people. (I elaborate on this point later in this essay, in discussing the Klez program.)

For more technical details on Nimda, see the CERT advisory and the F-Secure description.

The Nimda worm has a length of 57344 bytes, which makes it a relatively large file compared to many webpages and e-mail messages. This large file size helps Nimda clog the Internet.

I noticed CodeRed and Nimda at my professional website, where, up to 10 May 2002, there were 11238 requests for Windows NT operating system files, particularly cmd.exe. (These files do not exist on the server that hosts my website, as that server runs the Unix operating system.) The webhosting service that I use reported on 18 Sep 2001 that they were receiving approximately 8000 hits/second requesting cmd.exe. Such a high rate of requests approximates a denial-of-service attack on a webserver.

Perpetrator of Nimda

To the best of my knowledge, the author of the Nimda worm was never identified, so there can be no legal consequences for him. The code for the Nimda contains a copyright notice stating that it originated in communist China, but I have seen no confirmation that this statement is correct.

The anti-virus software vendor Trend Micro reported on 14 May 2002 that a total of 1.2 × 10⁶ computers worldwide had been infected with Nimda. The anti-virus software vendor Sophos reported Nimda as the most prevalent malicious program in the year 2001: Nimda accounted for 27% of the reports to Sophos.

BadTrans.B worm

The BadTrans.B worm was discovered on 24 Nov 2001. There was an epidemic from late November 2001 through early January 2002.

This worm did the following things to a victim's computer:

installs a Trojan Horse program to record the victim's keystrokes that are typed into any window with a title that begins PAS[sword], LOG[on], or four similar words that indicate an attempt to logon to some service. This program later e-mailed the collected keystrokes (e.g., including username and password) to an e-mail address specified in the Trojan Horse.
finds yet unread e-mail in Microsoft Outlook on the victim's machine and replies to those unread e-mails with a copy of the BadTrans worm in an attachment to the reply. This novel feature of the BadTrans worm increased the chances of propagation, since the recipient was expecting a reply from the victim.

The From: address will be the victim's e-mail address if the worm can find that information in the victim's computer, otherwise the From: address will be chosen from a list of 15 addresses, mostly with female names, contained in the worm. These 15 addresses connected to real people, who were selected by the author of the BadTrans worm. One of them, Joanna Castillo, posted a webpage about her experience. Also, the now-defunct Newsbytes website had an article about the "e-mail hell" experienced by Castillo and one other victim of the forged From: addresses.

Before sending copies with the victim's From: address, the worm adds the underline character (i.e., _) to the beginning of that From: e-mail address. Such an additional character will prevent warnings from the recipient from reaching the victim. Also, any returned copies of the worm (e.g., because the worm replied to spam that had an invalid, forged address) will not reach the victim and inform him/her of the unauthorized sending from his/her computer.

Some variants of the BadTrans worm also sent copies of the worm to e-mail addresses found in previously read e-mail in the victim's inbox or to addresses contained in files of types *.htm, *.html, and *.asp in documents downloaded from the Internet.
exploits a defect in Microsoft Internet Explorer that allows the worm to be launched without the victim opening an attachment. The same defect was exploited earlier by the Nimda worm.

BadTrans.B Perpetrator

To the best of my knowledge, the author of the BadTrans worm was never identified, so there can be no legal consequences for him.

The anti-virus software vendor Trend Micro reported on 16 May 2002 that a total of 2.1 × 10⁵ computers worldwide had been infected with BadTrans.B, which was only about 1/5 the number of computers that TrendMicro reported as infected with Sircam or Nimda, which also appeared in the year 2001. However, the anti-virus software vendor Computer Associates reported BadTrans.B as the most prevalent malicious program in the year 2001. On 2 Dec 2001, MessageLabs filtered BadTrans.B from one in every 57 e-mails, the second-highest daily infection rate seen by MessageLabs. On 17 May 2002, MessageLabs reported the BadTrans.B worm was the all-time third-most-common malicious program in e-mail.

Klez

The original Klez program appeared on 26 October 2001. A number of variants appeared later, of which the most significant were the E variant that first appeared on 17 January 2002 and the H variant that first appeared on 17 April 2002. The H variant caused an epidemic from about 20 April 2002 through June 2002, and became the most widespread malicious program in the history of the Internet.

Klez has properties of both a computer virus and worm, what the Norton Anti-Virus website calls a "blended threat".

There are a number of varieties of the Klez program and they each do slightly different harms to the victim's computer. Among these harms are:

deposit a copy of an ElKern computer virus in the victim's computer. The early versions of this virus destroy information in all files on the victim's computer on 13 March and 13 September of each year.
the Klez program is released when the victim reads or previews e-mail with Microsoft Outlook. The same defect in Microsoft Internet Explorer was exploited earlier by both the Nimda and BadTrans worms.
send copies of the Klez program via e-mail from the victim's computer, as discussed in more detail below.
attempts to disable many common anti-virus programs by modifying the Windows registry file.
on the 6^th day of each odd-numbered month, attempts to overwrite many different files on the victim's hard drive with a pattern of all zeroes, thus destroying data in those files.
randomly selects a file of type .doc, .rtf, .pdf, .jpg, among other possibilities, to append to the attachment containing the Klez program, thus possibly sending confidential information from the victim to future victims.

This long list of harms shows that the author of Klez had a truly malicious intent.

sending copies

The Klez program propagated by sending e-mail that contains Klez in an attachment. The subject line, body of the e-mail, and name of the attachment were randomly selected from a long list of possibilities contained in the Klez program. (This is unlike the Anna worm discussed above, where the attachment always had the same name and could be easily recognized by someone who had been warned by the news media.)

Some of the variants of Klez not only searched the Microsoft Outlook e-mail address book (like the Melissa and ILOVEYOU programs), but also searched the entire hard drive on the victim's computer for e-mail addresses contained in files of types .txt, .htm, and .html, amongst others. These file types include webpages downloaded from the Internet and stored on the victim's computer, and they may also include e-mail inboxes. This searching the entire hard drive for e-mail addresses was a significant progression in the thoroughness of malicious programs in obtaining a list of e-mail addresses to receive a copy of the malicious program.

Klez (like SirCam and Nimda) used its own internal e-mail program.

Some of the variants of Klez randomly selected one e-mail address in the list to be the designated false source of e-mails containing copies of the Klez program. Copies were then sent to all of the remaining addresses on the list. A wired.com news article says:

The [Klez] virus arrives attached to an e-mail that typically appears to have been sent by someone the recipient knew.

Many computer users say that friends, co-workers, and business associates are angrily – or patronizingly – accusing them of sending out viruses. Some victims say they fear their professional reputations have been harmed.

This article quotes a public relations consultant who was falsely accused by eight of her clients, as well as potential clients, for sending the Klez program to them: "I can't imagine they will trust me with a campaign for a tech firm after this."

e-mail with false text

At least one version of the Klez program produced e-mail that said that the attachment (which really contained the malicious Klez program) was an "immunity tool" and that the attachment originated from a specific, well-known anti-virus software vendor. According to the Norton Anti-Virus website, one version of these e-mails included the following text:

Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC. NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.

This fraudulent text instructed victims to disable their anti-virus (AV) software that would have prevented their infection with Klez! As with earlier malicious programs, you can not trust what you read in e-mail written by criminals. In connection with the SirCam text above, I observed that grammar errors, punctuation errors (e.g., no space after commas and periods in the Klez immunity tool message), and spelling errors in a message apparently from a native speaker of English is suggestive that the message has a forged From: address and the attachment may contain a malicious program.

Klez Perpetrator

To the best of my knowledge, the author of the Klez program was never identified, so there can be no legal consequences for him.

The original Klez program in late October 2001 contained a comment inside HTML code that said:

I am sorry to do so,but it's helpless to say sorry I want a good job,I must support my parents. Now you have seen my technical capabilities. How much my year-salary now? NO more than $5,500. What do you think of this fact? Don't call my names,I have no hostility. Can you help me?

Articles at some anti-virus websites mentioned the suspicion that the author lives in the Guangdong province of communist China.

A later version of the Klez program claims to be "made in Asia" and the author boasts that he wrote the entire program in only three weeks, so the program might not be free of defects.

These kinds of comments inside the Klez program make it appear that the author regards his program as part of his professional portfolio, in order to be hired as a computer programmer. Shame on any software vendor that hires the author of a malicious program! Ethical people are not favorably impressed by someone whose portfolio harms other people.

The anti-virus software vendor Trend Micro reported on 17 May 2002 that a total of 9.5 × 10⁵ computers worldwide had been infected with either KlezE or KlezH. On 17 May 2002, MessageLabs reported the KlezH program was the all-time second-most-common malicious program in e-mail. At that time, the epidemic was continuing and the total number of infected computers was certain to increase substantially.

my second essay

A description of some malicious computer programs since mid-2002, with emphasis on the nonexistent or lenient punishment for their authors, and with links to legal documents, is contained in my second essay.

Economic Damage

There are many different harms resulting from malicious programs:

Many malicious programs delete or alter data in files on the victim's hard drive. Recovering from such an attack requires either the use of a backup copy or tediously regenerating the data.

There will always be lost data after the last backup. The amount of lost data will be less than one day's work, if one makes daily backups. However, daily backups are rare amongst computer users at home and in small offices. That means most victims will lose days, or even weeks, of wordprocessing and financial data. The value of that lost data far exceeds the cost of the computer hardware.
Many malicious programs alter the Microsoft Windows registry file. All of those alterations must be undone, in order to recover from the malicious program.

Many malicious programs attach themselves to parts of the operating system or applications programs.

In some cases (e.g., CodeRed), the best recovery is to reformat the hard disk drive, make a clean installation of the operating system, then install all of the applications software, and finally copy all of the user's data files from backup media. Such a process can take many hours if the user is familiar with the process and has a recent backup copy of the data files. Alternatively, if one has used special backup software that copies the entire operating system (including hidden files), all applications software, and all data files onto recordable media (e.g., compact disks or a tape cartridge), then one can use that media to recover more quickly.
Malicious program that propagate by e-mail clog e-mail servers with millions of copies of a virus or worm, thus delaying receipt of useful e-mail, or causing valid messages to be lost in a flood of useless e-mail. Some companies switch off their e-mail servers during epidemics of malicious programs transmitted by e-mail, to prevent crashing their server, but that makes valid e-mail undeliverable. Many businesses rely on prompt delivery of e-mail for their routine operation, and slow e-mail will cause financial losses, such as the cost of lost productivity.

There is no definite information on the exact cost of recovering from an epidemic of a malicious program.

A quick calculation shows that the damage inflicted by a malicious program will be immense. Some of these malicious programs infected more than 10⁵ computers worldwide. If the cost of removing the program from each computer is only US$ 200 (a very low estimate), then the total harm exceeds ten million dollars. This quick calculation shows that the cost of each widespread malicious program will be more than US$ 10⁷, but we do not know how much more.

The estimated costs in the following table are from Computer Economics in January 2002. Journalists who write news reports about malicious programs commonly use damage estimates provided by Computer Economics.

name of program	estimated US$ cost
Melissa	1.10 × 10⁹
ILOVEYOU	8.75 × 10⁹
CodeRed	2.62 × 10⁹
SirCam	1.15 × 10⁹
Nimda	0.635 × 10⁹

The cost of recovery from malicious programs after ILOVEYOU was reduced by the availability of software tools from anti-virus software companies that automate much of the process of removing a worm.

Sources of Information

Early History of Malicious Programs

The following online resources describe the early history of malicious programs:

Robert M. Slade, History of Computer Viruses, 1992. Posted at Univ. Wisconsin and cknow.com.
Alan Solomon, A Brief History of PC Viruses, 1993 (?). Posted at Univ. Wisconsin and cknow.com.
Joe Wells, Virus Timeline, 30 Aug 1996.
Eugene Kaspersky, Computer Viruses, Nov 1998.

There are also various books on this subject:

Peter J. Denning, editor, Computers Under Attack, Addison-Wesley, 1990. A collection of reprinted articles.
Alan Solomon and Tim Kay, Dr Solomon's PC Anti-Virus Book, Butterworth, 1994.
Robert Slade's Guide to Computer Viruses, Springer-Verlag, second edition, 1996.

Later Malicious Programs

Except for the early examples (i.e., before Melissa), I have compiled the information in this essay from sources at:

Various anti-virus software websites (particularly: Computer Associates, F-Secure, McAfee, Norton/Symantec). Links to these websites are found in my webpage, Current Computer Attacks.
CNN because retrieval of old news from this website is free, unlike most newspaper websites in the USA. News reports are not always technically accurate, for example, journalists don't know the difference between a computer virus and a worm.
The Computer Emergency Response Team (CERT) at Carnegie Mellon University.

In order to make this essay easier to read, I have omitted some file types and other technical details in my description of the workings of each malicious program. For more complete information, consult the primary sources at anti-virus software websites.

Finally, there are differences amongst descriptions of nominally identical worms at different anti-virus software websites. These differences may be the result of different teams of experts examining different variants of each worm.

Prevalence of Malicious Programs

Quantitive information on the number of computers (or number of files) infected with a malicious program is difficult to find, because there is no central place for all computer users to report their infections. There are several sources frequently mentioned in this essay:

Trend Micro in Japan has statistical information and a summary of the number of computers infected worldwide by each virus or worm. They get their statistics from their free online virus scanner and their computer network management services. Trend Micro's statistical database began 30 July 2000, so it is only useful for recent infections, not for old incidents like the Melissa virus or the ILOVEYOU worm.
MessageLabs is a commercial service that, since 1999, filters malicious programs from large amounts of e-mail passing through its subscribers' systems. MessageLabs posts current information on the percent of e-mail that contains a computer virus or worm.

I notice appreciable differences amongst the reported prevalence of a given virus or worm at different websites. The following are possible explanations for such different data:

Data at both TrendMicro and McAfee Regional Virus Info show that the distribution of viruses and worms is not homogeneous throughout the world: there are real geographical differences in the prevalence of each malicious program. Each service that reports prevalence of viruses and worms (e.g., TrendMicro, MessageLabs, etc.) has a different global distribution of its customers, which can account for some of the differences in their prevalence data.
Other difference may be attributable to differences in the relative number of malicious programs in e-mail received by people at businesses, compared to people in homes. People at businesses probably have their e-mail addresses listed in e-mail address books on many different computers, and also on several webpages; while many people may have their home e-mail addresses in only a few address books of their friends and on no webpage. Thus, business e-mail addresses are more likely to be harvested as the automatic targets of e-mail containing malicious programs, such as Melissa, ILOVEYOU, SirCam, Nimda, BadTrans.B, Klez, etc.
Still other differences may be attributable to variations in the type of customers: some worms (e.g., CodeRed) target webservers, other worms target individual users' computers.

Conclusion

Harms

It is at least reckless to release such computer programs that are designed to be harmful to victims. For example:

E-mail delivering these malicious programs is deceptively or fraudulently labeled, so to encourage victims to open an e-mail attachment containing the malicious program.
Many malicious programs delete or alter data in files on the victim's hard drive, a result that has no benefit to the author of the malicious program, except glee in harming other people. This is clearly a criminal act by the author of the malicious program.
There is an enormous total cost of removing the virus or worm from many computers. Some of these malicious programs infected more than 10⁵ computers worldwide. If the cost of removing the program from each computer is only US$ 200 (a low estimate), then the total harm exceeds ten million dollars. Releasing a rapidly spreading virus or worm should be a major crime, worse than a bank robbery.
Beginning with the Melissa virus in March 1999, many of these malicious programs sent copies of the program in e-mail bearing the victim's From: address, when the victim had neither composed the e-mail message nor authorized the transmission. I believe that such sending of e-mail is, or ought to be, a criminal act.

Malicious programs like Melissa and Anna automatically sent e-mail using the name of a previous victim. While such e-mail really originated from the victim's machine, the transmission was made without either the knowledge or permission of that victim. This feature increased the chances that the recipient of the e-mail would open the attachment and release the new copy of the malicious program, because the recipient knew, and presumedly trusted, the person who apparently sent the e-mail.

Later malicious programs sent copies of themselves in e-mail with false From: addresses, which is one step worse than Melissa and Anna. For example, if the BadTrans.B worm could not find the victim's e-mail address book, that worm selected a false From: address from a list of 15 addresses contained inside the worm. Some variants of the Klez program did a total forgery of e-mail From: addresses, so copies of Klez were apparently sent from people whose machines did not contain Klez. Such false designations of origin cause innocent people to be accused of spreading a malicious program, and also damages their reputation by falsely presenting them as someone who recklessly does not have current anti-virus software running on their computer. Specific examples of such harm were given above for the Nimda, BadTrans.B, and the Klez programs.
Malicious programs that propagate by e-mail will clog e-mail servers with millions of copies of a virus or worm, thus delaying receipt of useful e-mail, or causing valid messages to be lost in a flood of useless e-mail. Many businesses rely on prompt delivery of e-mail for their routine operation, and slow e-mail could cause financial losses.

As evidence of mens rea (i.e., criminal intent) one should consider not only the design of the malicious program to do the above harms, but also the design of the malicious program to evade or to defeat anti-virus software. Many modern computer viruses or worms are polymorphic, which means that every copy is different and that they can not be detected by searching a computer file for occurrence of specific text. Some modern malicious code modifies the Windows registry file to disable anti-virus software, which is an unauthorized modification of the victim's computer. Criminals who write such malicious software are not doing a prank: they are designing a crime.

Punishment

Despite the immense value of the harm caused by each of these malicious computer programs, the author of the program received either light punishment (e.g., Morris, Smith, and de Wit) or no punishment (e.g., the authors of ILOVEYOU, CodeRed, Sircam, Nimda, BadTrans, Klez, etc.). Alone amongst authors of malicious programs, Pile received what I consider a reasonable punishment.

In May 2002, the Norton Anti-Virus software for Windows operating systems detected about 61000 malicious programs. Astoundingly, there have been criminal prosecutions and convictions of the author(s) of only five malicious programs. (See above.)

There are several reasons for the rare arrest and prosecution:

Legislators had not yet passed criminal statutes that effectively proscribe writing and distributing malicious programs.
Police departments have a budget that is too small to permit an investigation of all crimes, so the focus is on major violent crimes (e.g., homicides, rapes) and larceny. Police departments are generally not hiring detectives with an education in computer science. In the few arrests of authors of malicious programs, clues to the authors' identities were supplied by programmers employed by anti-virus software vendors.
Finally, there is the international nature of distribution of software by the Internet and sending malicious programs as attachments to e-mail. Traditional criminal law is inherently local: a burglary in state X requires the criminal to be physically present in that state. With malicious programs, the author could be in a foreign country (e.g., Philippines in the ILOVEYOU incident, Netherlands in the Anna worm, possibly China in the Klez program), but the harm can occur in all fifty states of the USA. The legal system has so-far been unable to respond effectively to this international challenge.

Apparently, a substantial fraction of malicious programs are created by people in developing countries that have weak or ineffective legal systems (e.g., writing malicious programs may not be a crime, the police and judges may be corrupt, etc.). Even if the legal system in the USA were to respond effectively to computer crime, authors of malicious programs in foreign countries are still out-of-reach of the legal system in the USA, despite causing harm in the USA.

The lenient punishment of authors of malicious programs is caused by:

Lack of resources (e.g., prosecutors, judges, and courtrooms) for the prosecution of all criminals. Hence, most criminal cases must be disposed of by plea bargains.
Prosecutors and judges lack an education in science and technology (Most of them went through high-school and college taking the minimum amount of science and mathematics classes.), so they are eager to dispose of cases involving "complicated technology" with plea bargains. The criminals exploit this eagerness by negotiating for a very lenient sentence in return for their guilty plea.
As I noted in my essay on computer crime, nonviolent white-collar criminals have been traditionally treated more leniently than lower-class criminals, who are often violent.
It is difficult to know the amount of damage from a widespread computer virus or worm, with the precision required for admission of evidence in a court. If only a small amount of damage can be proved in court, then the author of the malicious program will receive a lighter sentence than he deserves.

Corporate victims of computer crimes are often reluctant to disclose the amount of damage done, perhaps because such admissions might erode public confidence in the company's technical competence, which might cause customers/clients to flee to competitors.

It is even more difficult to quantify the amount of damage done to individual computers in people's homes. If N computers are infected and the average cost of removing the virus or worm from one computer is $ M, then the total damage is $ N × M. In practice, neither N nor M are known with the precision required for admission of legal evidence in court. In April 2002, I could not find any website for reporting infection by a malicious program, so N is unknown. Neither could I find any website for reporting the cost of removing an infection. Since the FBI and other law enforcement agencies are not collecting this information, damage to individual computers is being ignored. I expect damage to home computers to be large, because people in homes tend not to update their anti-virus software frequently, unlike corporate networks where anti-virus software is updated regularly by trained computer specialists.

An additional issue, which receives little attention, is the presence on the Internet of resources for creating malicious programs, such as was used to create the Anna worm in a few hours. Should authors and distributors of such resources be held criminally liable for aiding and abetting the creation of malicious programs? The obvious answer would appear to be Yes! However, the issue is complicated by the fact that some resources might also have legitimate uses (e.g., studying malicious code, so better anti-virus software can be designed). Legislators are not yet ready to restrict some programming tools and software only to licensed programmers, the way we make [potentially dangerous] drugs legally available only on prescription from a licensed physician. In fact, computer programmers in the USA are not currently licensed by the government, the way that other professionals (e.g., physicians, engineers, attorneys, accountants, etc.) who affect the public health and safety are licensed.

A practical solution to malicious computer code distributed by e-mail would be for Internet Service Providers (ISPs) to use current anti-virus software to scan all e-mail, both e-mails sent by their customers and e-mails received by their customers. As a practical matter, it makes more sense for the few ISPs to run anti-virus software (including daily updates of the virus definitions) than for millions of customers, many of whom have a low level of competence with computer software and hardware. I stress that this is a practical matter, not a legal obligation for ISPs.

In conclusion, the international criminal justice system has failed to arrest, punish, and deter people from writing and releasing malicious software.

I hope that readers will urge their legislators:

to enact criminal statutes against authors of computer viruses and worms, with punishment to reflect the damage done by those authors, and
to allocate more money to the police for finding and arresting the authors of malicious computer programs.

this document is at http://www.rbs2.com/cvirus.htm
revised 5 Oct 2002, revised links 19 Jan 2008

return to my homepage

go to my essay on Computer Crime