Virtual fingerprints may have trapped Goner worm suspects, says Sophos

Dezember 10, 2001 Sophos Press Release

Sophos, a world leader in corporate anti-virus protection, today applauded the arrest of four Israeli youths involved in the writing and distribution of the Goner computer worm. Sophos believes the worm itself may have included cryptic clues as to the true identity of the perpetrators.

The four high school students, aged between 15 and 16, were apprehended in the northern city of Nahariya on Friday 7 December and admitted their involvement, said Meir Zohar, the head of the police computer crime squad.

The worm poses as a screensaver called GONE.SCR. When activated it displays a message, apparently from the author to his friends:

"pentagone coded by: suid tested by ThE_SKuLL and |satan| greetings to: TraceWar, k9-unit, stef16, ^Reno. greetings also to nonick2 out there where ever you are."

W32/Goner-A graphical display

"Virus writers typically use 'handles' or nicknames to hide their true identity," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "However, for computer crime authorities these can be vital clues. Handles act as virtual fingerprints: if the author uses the nickname elsewhere links can be made and the authorities can investigate."

The suspects could face between three and five years in jail if convicted, said Zohar.

"Even though the people behind this worm have been caught - the worm will carry on causing damage. Like the contents of Pandora's box, once a worm has been released it can never be recaptured, however sorry its authors may be for the damage they have caused," Cluley continued.