Home & Office

Four held in Israel for Goner virus

Four teenagers have been held in custody over the weekend for unleashing the destructive email worm
Written by Wendy McAuliffe, Contributor

Four Israeli teenagers have been remanded in custody on suspicion of writing the malicious Goner email worm, which is thought to have spread more rampantly than last year's infamous Love Letter virus.

The high school students, aged 15 and 16, were arrested on Friday night, and were expected to remain in a Tel Aviv jail until Monday. Evidence that linked the boys to the Goner worm (so called because of its reference to what it calls the "Pentagone") was presented to the Northern Branch of the Anti-Fraud Squad on Wednesday. The investigation remains in progress, but under Israeli law, the minors could face between three and five years in jail for distributing such a destructive virus code.

Antivirus firm MessageLabs has detected 6342 incidents of Goner in the last 24 hrs, and more than 133,000 international cases since the worm was first detected on 4 December.

Goner is a mass-mailing Internet worm, written in Visual Basic Script (VBS), and is compressed into the UPX (Ultimate Packer for eXecutables) format, making it harder for antivirus software to detect. It arrives as an email with the subject line "Hi", and disguises itself as a screensaver.

It contains the text: "How are you? When I saw this screensaver, I immediately thought about you. I am in a harry, I promise you will love it!"

When the file is opened in Microsoft Outlook, Goner will attempt to terminate a number of antivirus products installed on the infected computer, and will then delete all files from any directory containing files of those names. Goner also uses the Inernet Relay Chat application called mIRC to install a backdoor, which can be used to launch a Denial of Service (DoS) attack on IRC channels, and on other uses connected to the same IRC channel as the infected user.

The first incident of Goner was detected in the US last Tuesday, but antivirus companies had been receiving a large number of reports from France. The minor spelling error in the body text had indicated that the virus author was not English.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards