VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Variant:GWV.A
When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.
Gnutella Worm v1.1.vbs Napster Metallica Crack.vbs Jenna Jameson movie listing.vbs Santana.vbs Pamela Anderson movie listing.vbs NSync.vbs Asia Carerra movie listing.vbs Nirvana.mp3.vbs xxx FTP movie listing.vbs Shania Twain.mp3.vbs ASF Compressor (No quality loss).vbs Jesus loves you.vbs collegesex.vbs Gnutella upgrade.vbs Gladiator.vbs OFFICIAL Gnutella Option Pack.vbs Battlefield Earth.vbs Alicia Silverstone.vbs Evangelion complete episodes scripts.vbs Pearl Jam.vbs Scan Master checklist.vbs How to eat p***y.vbs Mp3 compressor (Half the size but same quality).vbs
Gnutella installation directory is usually "C:\Program Files\gnutella".
The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.
Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:
Generation #: 8 Victim ID: 4021986573E3D41194EE0000F879A4F0 Infection date: 31.5.2000, 12:05:01 If I was a naughty boy, I could use scripting to get name, email, whatever file I want.
The worm holds the infection date and the generation number in the virus code as well.
The code contains the following commented text:
(Gnutella Worm Victim :)
The worm's name "VBS/GWV" comes from this text.
Variant:GWV.B
This variant is similar to VBS/GWV.A. However, it uses a different set of file names:
Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs NapsterMetallicaCrack.zip.vbs JennaJamesonmovie.asf.vbs Santana.mp3.vbs PamelaAndersonmovie.mov.vbs NSync.mp3.vbs AsiaCarerramovie.avi.vbs Nirvana.mp3.vbs xxxFTPmovie.mov.vbs ShaniaTwain.mp3.vbs ASFCompressor(Noqualityloss).zip.vbs Jesuslovesyou.txt.vbs collegesex.jpg.vbs GnutellaUpgrade.zip.vbs Gladiator.jpg.vbs OFFICIALGnutellaOptionPack.ZIP.vbs Battlefield Earth.asf.vbs AssF**king Collage Teens 15 Girls.asf.vbs Evangelioncompleteepisodesscripts.txt.vbs ScanMaster.jpg.vbs How to eat p***y.avi.vbs AliciaSilverstone.jpg.vbs PearlJam.mp3.vbs Mp3compressor(Halfthesizebutsamequality).zip.vbs
The text file that it creates is different as well:
Generation #: 3 Victim ID: 20E1BD998DDED411B61700C04F711BC7 Infection date: 5/30/00, 12:18:20 PM Thanks, Guinnea Pig!.