The National Infrastructure Protection Center (NIPC), the Federal Bureau
of Investigation (FBI), the Washington Field Office of the FBI, the
Department of Justice Computer Crime and Intellectual Property Section
and New Scotland Yard, United Kingdom (UK), announced today that a 24
year old male was arrested on July 23, 2001, in the UK for violation
of the "Computer Misuse Act 1990." This announcement was delayed to
avoid potentially comprising the ongoing investigation. This individual
who, under British Law, cannot be identified at this time, was arrested
in connection with designing and propagating malicious code, known as
the W32-Leave.worm, or Leaves worm, into Windows-based computer systems.
This individual has been released from custody and ordered to return
to New Scotland Yard on September 24, 2001.
On June 23, 2001, the NIPC issued "Advisory 01-014," "New Scanning Activity
(with W32-Leave.worm) Exploiting SubSeven Victims," regarding this activity.
This particular worm allowed the intruder access to an infected system
while the victim machine was connected to the Internet. It is believed
that home-users' computers, without updated anti-virus software, were
the systems primarily infected by this worm. Current anti-virus software
will detect the presence of the W32-Leave.worm. Full descriptions and
removal instructions can be found at various anti-virus web sites.
This malicious code was discovered by the analytical efforts of the
employees of the Systems Administration and Network Security (SANS)
Institute and reported by SANS to the NIPC. This arrest came as a result
of a joint FBI/New Scotland Yard, UK, investigation, and illustrates
the benefits of law enforcement and private industry working together.