Technology
toolbar
April 2, 1999

AOL Records Sought on Virus

By MATT RICHTEL Bio
Federal agents hunting for the author of the Melissa computer virus obtained a court order seeking background information from America Online yesterday, one day after seizing a computer from a Florida Internet access provider that may contain clues to the origin of the virus.


Related Articles
Digital Tracks Yield Clues to Creator of Internet Virus
(March 30, 1998)

Super-Fast Computer Virus Heads Into the Workweek
(March 29, 1999)

New Fast-Spreading Virus Takes Internet by Storm
(March 28, 1999)

New Virus Infects Microsoft Word Files
(Dec. 21, 1998)

The Melissa virus, which emerged last Friday, can spread exponentially because it automatically sends itself from one recipient's e-mail account to as many as 50 others. It has spread more quickly than any other computer mutation in history, infecting more than 100,000 computers in five days, computer security experts have said.

The search for the creator of the virus has focused on a small group of virus writers who use monikers including VicodinES and ALT-F11. Those nicknames have been associated with several key aspects of the release of the virus and with virus-creation in general.

The Web page for VicodinES touted the ability of its author as a "noted virus researcher," and cited several viruses he had created. It was published on a computer kept at Access Orlando, a small Internet service provider in Orlando, Fla.

The computer, known as a Web server, held a loose collection of sites called SourceofKaos, which included dozens of other sites of virus writers and collectors. Access Orlando does not own the computer, but leases space to its owner, Roger Sibert, for $150 a month.

But on Wednesday, FBI agents asked Access Orlando to remove the server from the Internet as a way to preserve any evidence of Melissa's origin that it might contain, according to Ron Spohn, projects manager for Access Orlando. Spohn said he acceded to the FBI's request after it showed him documentation that it was illegal to tamper with data that may be used in the criminal investigation.

Spohn said the FBI later confiscated the computer. "They were going to look for clues on the actual machine itself," Spohn said, referring to digital evidence preserved in the computer's logs that could be traced to VicodinES.

Sibert, the operator of the SourceofKaos sites, said he did not personally know VicodinES, but had exchanged e-mail with him in the past. Sibert said that he allows people with unpopular views to use his Web server to post sites on the Internet and that many of the roughly 80 sites belonged to virus writers or virus collectors.

The FBI declined to comment on Access Orlando or on any other aspect of the investigation, except to confirm that it is conducting one.
Officials from Global Connection, a small ISP also received a call from the F.B.I.

America Online said Thursday that it had received a court order regarding the Melissa virus from a Federal law enforcement agency, but declined to specify the information sought by the court order. "Our policy is to cooperate when presented with a formal request," said Wendy Goldberg, an AOL spokeswoman. The FBI declined to confirm that it was the agency that obtained the court order.

Computer security experts searching for VicodinES said it appeared he used an AOL account last Friday morning in first posting the virus to the Internet. The AOL account belongs to a Seattle-based civil engineer, Scott A. Steinmetz, who said his account was apparently broken into to post the virus.

Steinmetz, 36, said he was not the subject of an FBI investigation. "It sounds like somebody took my password and has been trashing me on the Internet and has also created a notorious computer virus," he said.

Since his account was identified as a possible source of the virus, "every hacker in the world has sent me an e-mail," he said. "Some of them congratulated me and some of them had nastier things to say." He said he was "stockpiling" the messages for investigators if they want them.

Meanwhile, officials from Global Connection, a small Internet provider in Kingsport, Tenn., said they also received a call from the F.B.I. on Thursday in connection with the Melissa investigation. Global Connection is the company that hosted the Web site of Codebreakers.org, an organization that includes some virus writers and to which VicodinES apparently once belonged.

Alex Potts, sales and marketing manager for Global Connection, said the company already had decided to disconnect the Web page from the Internet on Tuesday to "err on the side of caution." He said the company had read news reports and received e-mails that connected the site to the Melissa virus.

Matt Richtel at mrichtel@nytimes.com welcomes your comments and suggestions.

Home | Site Index | Site Search | Forums | Archives | Marketplace

Quick News | Page One Plus | International | National/N.Y. | Business | Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts | Automobiles | Books | Diversions | Job Market | Real Estate | Travel

Help/Feedback | Classifieds | Services | New York Today

Copyright 1999 The New York Times Company