August 6, 2002 11:45 AM PDT
Israeli teens charged over Goner worm
According to the newspaper Ha'aretz, the five have been charged in the Haifa District Court with willfully causing damage to computers belonging to companies and private individuals, both in Israel and abroad, by writing and disseminating computer viruses over the Internet.
Four of the accused are 10th and 11th graders from Nahariya, and the fifth is an eighth grader, also from the north of Israel, said the newspaper. One of the minors was charged with writing the virus, while the others were charged with disseminating it.
It was not clear whether they included the four teenagers who were taken into custody in mid-December on suspicion of writing the virus.
The Goner worm--also known as Pentagone and Gone--spread rapidly in December 2001 by e-mail, and once activated, it shut down antivirus and firewall protection on infected PCs. At the time, security experts suspected that it was the work of inexperienced, malicious programmers, known as "script kiddies." Goner's pop-up displays look like a typical script-kiddie Web site defacement, complete with the typical script-kiddie "hello" to others in the Net underground--a hacker habit known as "greetz".
According to the indictment, one of the defendants wrote a virus targeting users of chat rooms. However, the virus failed to cause the intended damage, and the defendant wrote a new one based on the code of the Melissa virus, which caused tens of millions of dollars in damages when it was disseminated in the United States in 1999. The defendant named his virus Gone (Goner).
Goner arrives by ICQ instant message or by e-mail bearing a subject line of "Hi" with the body text of "How are you ? When I saw this screen saver, I immediately thought about you I am in a harry, I promise you will love it!" The attached file is gone.scr.
Goner's 39KB payload packs a UPX file compressor. When executed, the worm copies itself into the Windows system directory under the name gone.scr. It also adds itself to the registry so that it executes each time the computer reboots.
Goner e-mails copies of itself using the Microsoft Outlook e-mail client's address book. It also uses ICQ to spread copies of itself from the infected computer as well.
The worm displays a message crediting its creators--"Pentagone coded by: suid tested by: ThE_SkuLL and Isatanl"--and a traditional script kiddie greetz: "greetings to TraceWar, k9unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are." It also displays a fake error message and disables antivirus software and firewalls.
In order to distribute the virus, said Ha'aretz, the other four defendants presented the virus on various Internet forums as a screensaver. The indictment says that the virus caused servers to crash at various organizations including NASA.
ZDNet U.K.'s Matt Loney reported from London.
CNET Software's Robert Vamosi contributed to this report.