Thanks for the AP, A_T.
Still, even the possession of the code of a virus can still have legitimate purposes. The code of the Melissa virus, for example, has been available on the Internet and you might still be able to find it somewhere. I've heard about the Christmas virus that spread around 15 years ago or maybe even longer. If I heard correctly, the creator of that "Christmas" virus just wanted to wish 'Merry Christmas' to as many people as possible, within his company. (IBM) So he wrote something that would read the address book of the user to send itself to everyone in that address book.
Which of course ended up in half the company mailing the other half of the company and thus a mailserver that seriously needed antidepressiva...

As I said, people should be judged based on their actions, not on what they happen to possess. So it's fine if you have the sourcecode of some virus. You can learn a lot from it, sometimes. Especially when you yourself are interested in programming and software development. The code of a virus can tell you about possible vulnerabilities in your code. Buffer overflow errors, for example. In the past, no one was really aware of the risks of this. Nowadays, it's considered a very huge risk. Even worse, a buffer overflow would theoretically allow badly-written code to execute arbitrary code in a data file. This happened with Microsoft in their JPeG-decompression libraries. As a result, *.jpg files can now be used to infect other systems and thus have to be classified as containing a possible virus... (Microsoft patched this, though, although not everyone has installed this patch.)

I myself are interested in hacking, but from the security pointview. I want to know how hackers work so I can avoid falling into their traps. As such, I am a bit of a hacker myself (must remind myself to buy a white hat) and I even have some books about this topic too. I even have a book about computer viruses that's about 16 years old, I think. (Gift from my dad.) It talks mostly about those old MS-DOS viruses but it also has plenty of example code about how they work, internally.

Let's compare it to a real-life example then. Say, you're a security guard. Would your chances of keeping an area secure increase if you know how criminals can break into a building? If you know how to detect a weak spot in a security system? If you know how security systems can be bypassed? I think it does.
An experienced security guard might become suspicious if one security camera temporarily displays some snow before it gives a normal image back. He knows someone might have tampered with the signal at that point and thus he (hopefully) will check it out.
An inexperienced guard will probably think everything is okay, while in the meantime some robber might have switched the signal from the camera with that of some VCR system. This gives him a chance to rob the system and then get away with it.

I think that everyone who uses a computer should be aware of possible security risks. Especially when they start using this computer for their online banking and to make online purchases. I also think we need a lot of online security guards just to keep the Internet safe. I'm still just a trainee but I know that for me to become real good at keeping things secure, then I will need to know how a virus or a worm works, exactly.

So basically, I think there should be no punishment for possession of malware. Neither should there be a punishment if you use this malware on your own systems only. However, punishments are required if you spread around this malware and the punishment should be related to the amount of damage caused by this malware.