A Minnesota teenager appeared in court on Friday to face charges stemming from the release of a variant of the virulent W32.Blaster internet worm.
Jeffrey Lee Parson, 18, was arrested on Friday morning. He was tracked down by a joint federal task force that involved members of the FBI and the US Secret Service.
The variant, W32.Blaster-B, appeared on 14 August, three days after Blaster-A first appeared, and was almost identical to the original worm, except for its file name, teekids.exe, as opposed to msblast.exe.
Teekid was also an online handle used by Parson.
The federal law enforcement agencies first got on the trail of Blaster-B's author by tracking down ownership of an internet domain, www.t33kid.com, which the Blaster-B worm used to download instructions and report on infected hosts.
That chase led from a San Diego web wholesale internet services provider, California Regional Internet, to a small web hosting provider in Texas and, from there, to ISP Time Warner Cable, which provided Parson's father's home broadband account in Minnesota.
Time Warner provided the FBI with Parson's address and federal agents raided his home on 19 August, seizing seven computers from the house.
The results of a forensic analysis of those computers are still pending, but the complaint says that during an interview that day, Parson admitted to modifying the Blaster worm and creating the Blaster-B worm variant, naming it "teekids.exe" after his online name.
Parson further admitted to outfitting the new worm with a backdoor Trojan program, named "Lithium" so that he could reconnect to infected computers.
Blaster-A first appeared on 11 August and exploited a widespread vulnerability in Microsoft's Windows operating system.
Virus experts were surprised that Parson was traced.
"I think it gets back to how they caught him," said Chris Wraight, a technology consultant at Sophos. "It wasn't digital forensics, but the human intelligence. They did it the old-fashioned way, with human intelligence."
However, Wraight was not surprised to learn that the suspect in the Blaster-B case was a teenager.
He and others long maintained that Blaster's blatant copying of proof-of-concept code meant that Blaster was the work of a novice virus writer, rather than a pro. Wraight added that the alleged modification of that code by Parson was typical.
"This clearly shows what happens in the virus world - people take and modify other people's code and try to go one up each other. But most of these guys are not too swift and they get caught because of an error," Wraight said.
While most worm authors are careful to cover their tracks and escape capture, those who are caught face toughened computer crime laws in the US and Europe.
In July, a UK court rejected an appeal by 22-year-old Simon Vallor, who was sentenced to two years in prison for writing and releasing three e-mail worms.
In less developed countries, however, there are few laws governing cyber crimes, Wraight said.
The author of one of the most destructive viruses, LoveBug, never faced charges because the Philippines lacked laws on its books to prosecute him.
If Parsons is found guilty, he could face between five and 20 years in prison and be asked to pay "thousands of dollars" in damages.
No specific damages figures were available for the Blaster-B variant, but the complaint refers to more than 7,000 computers being infected with the Blaster-B variant.
The complaint includes statements by Microsoft representatives that the company "expended significant internal and external (contracted) resources to respond to the distributed denial-of-service attack launched by Parson's worm against the www.windowsupdate.com site, far in excess of $5,000".
Paul Roberts writes for IDG News Service