Five Israelis charged over Goner

Police in Israel have charged five teenagers for writing and disseminating the Goner virus

Five Israeli minors have been charged for allegedly creating the Goner virus, according to reports.

According to the newspaper Ha'aretz,, the five have been charged in the Haifa District Court with willfully causing damage to computers belonging to companies and private individuals, both in Israel and abroad, by writing and disseminating computer viruses over the Internet.

Four of the accused are 10th and 11th graders from Nahariya, and the fifth is an 8th grader, also from the north of Israel, said the newspaper. One of the minors was charged with writing the virus, while the others were charged with disseminating it.

It was not clear whether they included the four teenagers who were taken into custody in mid-December on suspicion of writing the virus.

The Goner worm spread rapidly in December 2001 by email and, once activated, it shut down antivirus and firewall protection on infected PCs. At the time security experts suspected that it was the work of "script kiddies" -- inexperienced malicious programmers. Goner's pop-up displays look like a typical script-kiddie Web site defacement, complete with the typical script kiddie "greetz".

According to the indictment, one of the defendants wrote a virus targeting users of chat rooms; however, the virus failed to cause the intended damage and the defendant, therefore, wrote a new one, based on the code of the Melissa virus, which caused tens of millions of dollars in damages when it was disseminated in the United States in 1999. The defendant named his virus Gone (Goner).

Goner arrives by ICQ or email bearing a subject line of "Hi" with the body text of "How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!" The attached file is gone.scr.

The payload of Goner is written in Visual Basic 6, packed with a UPX file compressor, and is 39KB in size. If executed, the worm makes copies of itself in the Windows System directory under the name gone.scr. It also adds itself to the registry so that it executes each time the computer reboots.

Goner uses the Outlook Address Book to find addresses to which it emails copies of itself. If ICQ, a favourite program of script kiddies, is also present on the infected computer, Goner will attempt to spread copies of itself through that service as well.

Besides displaying a message taking credit for the worm -- "Pentagone coded by: suid tested by: ThE_SkuLL and Isatanl" -- and a traditional script kiddie greetz -- "greetings to TraceWar, k9unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are" -- the worm also displays a fake error message. Goner disables antivirus software and firewalls.

In order to distribute the virus, said Ha'aretz, the other four defendants presented the virus on various Internet forums as a screensaver. The indictment says that the virus caused servers to crash at various organisations including NASA.

Robert Vamosi contributed to this report.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All