Much like the “Wet Bandits” left their signature (running water in a stopped-up sink) on home burglaries in the holiday classic Home Alone, the Israeli teenagers arrested in December 2001 for spreading the Goner worm signed their work — and that’s how they were apprehended within days of the virus’ release.

The worm spread through an  email attachment to Microsoft Outlook users, and the chatting software ICQ. A user received an email with the subject line “Hi” and the following message: “How are you? When I saw this screen saver, I immediately thought about you … I am in a harry [sic], I promise you will love it!”

The message’s attachment — Gone.SCR — appeared to be a screensaver, but it was really a Visual Basic worm that attempted to remove a computer’s firewall and antivirus applications.

The Goner worm moves quickly

Goner raced across 17 countries including the U.S., U.K., and France in December 2001, with a wide-enough reach that the worm was declared to have an “outbreak” status. However, once activated, Goner displayed the following message, which contained the Internet Relay Channel (IRC) nicknames of its creators: “Pentagone – coded by: suid. tested by ThE_SKuLL and [satan]. greetings to: TraceWar, k9-unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are.”

This type of message — known as a “greetz” and is the hallmark of an inexperienced programmer or “script kiddie,”—  made it easier to trace Goner’s origins. Using readily available data from IRC, authorities tied the nicknames to the IP addresses of Goner’s creators.

Photo: vchal / Shutterstock

Kate Johanns

Posted by Kate Johanns

Kate Johanns is a communications professional and freelance writer with more than 13 years of experience in publishing and marketing.

Leave a reply

Your email address will not be published. Required fields are marked *