Press Releases

Browse our press release archive

08 Nov 2006

Fathers 4 Justice worm author escapes jail

Matthew Byrne also hacked into accounts on a dating website

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have questioned whether courts are giving consistent sentences to hackers following the ruling against a 38-year-old British man who broke into a dating agency website and distributed computer viruses.

Matthew Byrne, from Kirkby-in-Ashfield, Nottinghamshire, has been given an eight month sentence, suspended for two years, after pleading guilty to writing the Mirsa viruses which posed as messages from the Fathers 4 Justice campaign group, and hacking accounts belonging to users of dating website loveandfriends.com. As the sentence is suspended Byrne has walked free and avoided jail.

"The Computer Crime Unit at Scotland Yard should be congratulated for bringing another hacker to justice, but one must question whether the legal system is dealing with virus writers in a consistent fashion," said Graham Cluley, senior technology consultant for Sophos. "In 2003, 21-year-old Welsh virus writer Simon Vallor received a two year jail sentence from the same judge, and more recently the British Government has approved the extradition to the USA of alleged NASA hacker Gary McKinnon. Is there a danger that conflicting messages are being sent to the hacking community by Byrne escaping jail time?"

The W32/Mirsa-A and W32/Mirsa-B worms arrive as an attached file in an email. The emails sent containing the Mirsa-A variant pretend that the malicious attachment is a resume or curriculum vitae, whereas the Mirsa-B variant uses subject lines such as "How NOT to get Promotion", "Memorandom to all staff", "Urgent Document", "Extremely Important", and "Private and personal".

If the attached file is run, the worm will email itself out to addresses found in the Windows Address Book and copy itself into files on the infected user's hard drive. The worms also attempt to drop a section of text onto the user's hard drive.

Text dropped by W32/Mirsa-A into a Word document:

Fathers 4 Justice
Coded by UK Digital Binary Division
UK Government will listen Fathers 4 Justice
respect to:
RanSid
DILENGER
NEWORDER
KJ
VosLar

Text dropped by W32/Mirsa-B into a Word document:

We are NOW supporting Fathers 4 Justice
Tony Blair: you really should LISTEN to us or we will take further action
LeftPara
VosLar
ManTak
DILENGER

A file called Fathers4Justice.txt is created on the user's desktop by W32/Mirsa-B containing the following text:

UK Digital Binary Division
MRSA: coded by the UK Digital Binary Division
we support Fathers-4-Justice

W32/Mirsa-B also creates an internet link on the user's desktop to the Fathers 4 Justice website.

A clue in the code

Sophos reported in January 2005 about a clue buried inside one of the Mirsa worms which suggested the author was from the Sheffield area. Hidden inside the W32/Mirsa-A virus, and not normally displayed to the infected user, is a section of text: "sheffield hallam university is corrupt".

"It was a stupid message for Byrne to include inside his worm. Sure enough, at the time of his arrest, he was living in Sheffield," continued Cluley.

Message hidden inside the W32/Mirsa-A worm
Hidden inside the W32/Mirsa-A worm is a message about Sheffield Hallam University

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses, spyware and spam.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.