Premium rate virus writer sentenced after stealing 104,000 Euros in three days, Sophos reports

Sophos Press Release

The creator of the Marq email worm has received a 14 month sentence and been fined 3,000 Euros for writing a computer worm which dialled premium-rate phone numbers, which tried to steal over 100,000 Euros (approximately £71,000).

The man wrote the W32/Marq-A email-aware worm (also known as Voltan or Zelig) to direct innocent computer users to a website where a malicious program posing as a screensaver could be downloaded. If run, the worm would change the phone number used for accessing the internet to a premium-rate number based in Aruba in the Dutch Antilles at the cost of 1.80 Euros per minute.

It is claimed that more than 57,000 minutes were logged on the premium-rate number in just three days at the end of October 2003. If the virus had been allowed to continue, it is estimated that 1.2 million Euros would have been stolen every month.

The Italian financial police were able to freeze the money accrued by the worm, which was first sent to a New York bank account, then transferred via Venezuela before ending up in an account belonging to a "ghost" company in Aruba.

The crime was discovered and blocked after the man, who although born in Pisa lives in Venezuela, came to Italy to increase the number of premium rate telephone connections.

The virus writer, who was aged 39 at the time of his arrest by the Italian authorities in November 2003, is thought to have avoided a harsher sentence because it was his first offence and he co-operated with the authorities in their investigation.

The Marq worm arrived in the form of an email with the subject line "The moment is cathartic", written in Italian, directing users to download what was claimed to be a screensaver called zelig.scr. Flavio Oreglio, one of the stars of the Italian TV comedy show "Zelig", is the author of a book called "The moment is cathartic" and it is suspected that this encouraged some Italian-speaking people to download the malicious program.

"More virus writers are being caught and convicted than ever before, and the Italian authorities did well to cut this worm's author down to size," said Graham Cluley, senior technology consultant for Sophos. "Increasingly we are seeing viruses and worms which are designed to steal money or resources from the infected computers of innocent people. Everybody should make defence of their computers a priority if they wish to connect to the internet."

Sophos recommends companies protect themselves with a consolidated solution which can defend businesses from the threats of both spam and viruses.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at