VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.
Disinfection & Removal
When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.
Gnutella Worm v1.1.vbs Napster Metallica Crack.vbs Jenna Jameson movie listing.vbs Santana.vbs Pamela Anderson movie listing.vbs NSync.vbs Asia Carerra movie listing.vbs Nirvana.mp3.vbs xxx FTP movie listing.vbs Shania Twain.mp3.vbs ASF Compressor (No quality loss).vbs Jesus loves you.vbs collegesex.vbs Gnutella upgrade.vbs Gladiator.vbs OFFICIAL Gnutella Option Pack.vbs Battlefield Earth.vbs Alicia Silverstone.vbs Evangelion complete episodes scripts.vbs Pearl Jam.vbs Scan Master checklist.vbs How to eat p***y.vbs Mp3 compressor (Half the size but same quality).vbs
Gnutella installation directory is usually "C:\Program Files\gnutella".
The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.
Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:
Generation #: 8 Victim ID: 4021986573E3D41194EE0000F879A4F0 Infection date: 31.5.2000, 12:05:01 If I was a naughty boy, I could use scripting to get name, email, whatever file I want.
The worm holds the infection date and the generation number in the virus code as well.
The code contains the following commented text:
(Gnutella Worm Victim :)
The worm's name "VBS/GWV" comes from this text.
This variant is similar to VBS/GWV.A. However, it uses a different set of file names:
Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs NapsterMetallicaCrack.zip.vbs JennaJamesonmovie.asf.vbs Santana.mp3.vbs PamelaAndersonmovie.mov.vbs NSync.mp3.vbs AsiaCarerramovie.avi.vbs Nirvana.mp3.vbs xxxFTPmovie.mov.vbs ShaniaTwain.mp3.vbs ASFCompressor(Noqualityloss).zip.vbs Jesuslovesyou.txt.vbs collegesex.jpg.vbs GnutellaUpgrade.zip.vbs Gladiator.jpg.vbs OFFICIALGnutellaOptionPack.ZIP.vbs Battlefield Earth.asf.vbs AssF**king Collage Teens 15 Girls.asf.vbs Evangelioncompleteepisodesscripts.txt.vbs ScanMaster.jpg.vbs How to eat p***y.avi.vbs AliciaSilverstone.jpg.vbs PearlJam.mp3.vbs Mp3compressor(Halfthesizebutsamequality).zip.vbs
The text file that it creates is different as well:
Generation #: 3 Victim ID: 20E1BD998DDED411B61700C04F711BC7 Infection date: 5/30/00, 12:18:20 PM Thanks, Guinnea Pig!.
Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure