When the worm is executed, it creates a several copies of itself to
the Gnutella installation directory with different file names.
Gnutella Worm v1.1.vbs
Napster Metallica Crack.vbs
Jenna Jameson movie listing.vbs
Pamela Anderson movie listing.vbs
Asia Carerra movie listing.vbs
xxx FTP movie listing.vbs
ASF Compressor (No quality loss).vbs
Jesus loves you.vbs
OFFICIAL Gnutella Option Pack.vbs
Evangelion complete episodes scripts.vbs
Scan Master checklist.vbs
How to eat p***y.vbs
Mp3 compressor (Half the size but same quality).vbs
Gnutella installation directory is usually
The worm alters the "gnutella.ini" file from the same directory by
adding the ".vbs" extension to the list of allowed extensions and by
adding the Gnutella installation directory to the list of shared
Finally the worm creates a text file, "Yet Another GWV!
xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is
unique in each Gnutella installation. This text file contains the
infection date, the generation number and the unique number
mentioned above, for example:
Generation #: 8
Victim ID: 4021986573E3D41194EE0000F879A4F0
Infection date: 31.5.2000, 12:05:01
If I was a naughty boy, I could use scripting to get name, email, whatever file I want.
The worm holds the infection date and the generation number in the
virus code as well.
The code contains the following commented text:
(Gnutella Worm Victim :)
The worm's name "VBS/GWV" comes from this text.
This variant is similar to VBS/GWV.A. However, it uses a different set
of file names:
Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs
AssF**king Collage Teens 15 Girls.asf.vbs
How to eat p***y.avi.vbs
The text file that it creates is different as well:
Generation #: 3
Victim ID: 20E1BD998DDED411B61700C04F711BC7
Infection date: 5/30/00, 12:18:20 PM
Thanks, Guinnea Pig!.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]