Melissa virus writer pleads guilty

Sophos Press Release
David L Smith
David L Smith pleaded guilty to his involvement in creating and spreading the Melissa virus

Computer programmer David L. Smith pleaded guilty on Thursday December 9th 1999 in USA courts for his role in creating and distributing the Melissa macro virus.

Smith, 31, released the Melissa virus in March 1999 by deliberately posting an infected document to an usenet newsgroup from a stolen AOL account. The virus, believed to be named after a stripper Smith had known in Florida, forwards itself to the first 50 addresses in all of your accessible Outlook address books. It also occasionally corrupts documents by inserting the text 'twenty-two, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.'.

According to ZDNet companies such as Microsoft, Intel, Lockheed Martin, and Lucent Technologies were forced to shut down their email gateways because of the large amount of email the virus was generating.

Smith appeared at Monmouth County Superior Court, New Jersey, and pleaded guilty to one count of computer theft in the second degree.

Smith also appeared in the Newark US District Court where he pleaded guilty to one federal count of computer fraud and abuse. He acknowledged in his federal plea agreement that the Melissa virus caused more than $80 million in damage to North American businesses.

"I did not expect or anticipate the amount of damage that took place. When I posted the virus, I expected that any financial injury would be minor and incidental," Smith told Judge John Ricciardi of Monmouth County Superior Court, "In fact, I included features designed to prevent substantial damage... I had no idea there would be such profound consequences to others."

When Judge Ricciardi asked Smith whether he agreed that deliberately releasing the virus on the net did result in those consequences, he replied, "I certainly agree. It did result in those consequences."

David L. Smith's state court sentencing is scheduled for February 18, 2000, with federal court sentencing planned for May 15th 2000. He faces a maximum sentence of 10 years in jail, and a possible fine total of $400,000.

"A very clear message needs to go out to virus writers," said Graham Cluley, senior technology consultant for Sophos Anti-Virus, "Spreading viruses can result in substantial financial damage. The authorities are prepared to investigate people deliberately spreading viruses and bring them to justice. It's time for people to grow up and start acting as responsible members of the electronic community."

Smith is not the first virus writer to be punished by the authorities. On November 15 1995, Christopher Pile (alias "The Black Baron") appeared for sentencing for eleven offences under the Sections 2 and 3 of the Computer Misuse Act at Exeter Crown Court, England. Pile had already pleaded guilty to all charges and was sentenced to eighteen months in prison.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at