Computer Crime Research Center

Israeli teens charged over Goner worm
(By Matt Loney Staff Writer, CNET

Five Israeli minors have been charged for allegedly creating the Goner virus, according to reports. According to the newspaper Ha'aretz,, the five have been charged in the Haifa District Court with willfully causing damage to computers belonging to companies and private individuals, both in Israel and abroad, by writing and disseminating computer viruses over the Internet.

Four of the accused are 10th and 11th graders from Nahariya, and the fifth is an 8th grader, also from the north of Israel, said the newspaper. One of the minors was charged with writing the virus, while the others were charged with disseminating it.

It was not clear whether they included the four teenagers who were taken into custody in mid-December on suspicion of writing the virus.

The Goner worm--also known as Pentagone and Gone--spread rapidly in December 2001 by e-mail and, once activated, it shut down antivirus and firewall protection on infected PCs. At the time security experts suspected that it was the work of inexperienced malicious programmers, known as "script kiddies." Goner's pop-up displays look like a typical script-kiddie Web site defacement, complete with the typical script-kiddie "hello" to others in the Net underground--a hacker habit known as "greetz".

According to the indictment, one of the defendants wrote a virus targeting users of chat rooms. However, the virus failed to cause the intended damage and the defendant wrote a new one based on the code of the Melissa virus, which caused tens of millions of dollars in damages when it was disseminated in the United States in 1999. The defendant named his virus Gone (Goner).

Goner arrives by ICQ or e-mail bearing a subject line of "Hi" with the body text of "How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!" The attached file is gone.scr.

The payload of Goner is written in Visual Basic 6, is packed with a UPX file compressor, and is 39KB in size. If executed, the worm makes copies of itself in the Windows System directory under the name gone.scr. It also adds itself to the registry so that it executes each time the computer reboots.

Goner uses the Microsoft Outlook e-mail client's address book to find addresses to which it e-mails copies of itself. If ICQ, a favorite program of script kiddies, is also present on the infected computer, Goner will attempt to spread copies of itself through that service as well.

In addition to displaying a message taking credit for the worm--"Pentagone coded by: suid tested by: ThE SkuLL and Isatanl"--and a traditional script kiddie greetz--"greetings to TraceWar, k9unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are"--the worm also displays a fake error message. The Goner worm also disables antivirus software and firewalls.

In order to distribute the virus, said Ha'aretz, the other four defendants presented the virus on various Internet forums as a screensaver. The indictment says that the virus caused servers to crash at various organizations including NASA.


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907