Much like the “Wet Bandits” left their signature (running water in a stopped-up sink) on home burglaries in the holiday classic Home Alone, the Israeli teenagers arrested in December 2001 for spreading the Goner worm signed their work — and that’s how they were apprehended within days of the virus’ release.
The worm spread through an email attachment to Microsoft Outlook users, and the chatting software ICQ. A user received an email with the subject line “Hi” and the following message: “How are you? When I saw this screen saver, I immediately thought about you … I am in a harry [sic], I promise you will love it!”
The message’s attachment — Gone.SCR — appeared to be a screensaver, but it was really a Visual Basic worm that attempted to remove a computer’s firewall and antivirus applications.
The creators of the #GonerWorm signed their work — and that’s how they were apprehended within days of the virus’ release. #TechTimeWarp
The Goner worm moves quickly
Goner raced across 17 countries including the U.S., U.K., and France in December 2001, with a wide-enough reach that the worm was declared to have an “outbreak” status. However, once activated, Goner displayed the following message, which contained the Internet Relay Channel (IRC) nicknames of its creators: “Pentagone – coded by: suid. tested by ThE_SKuLL and [satan]. greetings to: TraceWar, k9-unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are.”
This type of message — known as a “greetz” and is the hallmark of an inexperienced programmer or “script kiddie,”— made it easier to trace Goner’s origins. Using readily available data from IRC, authorities tied the nicknames to the IP addresses of Goner’s creators.
Photo: vchal / Shutterstock