Threat Description

GWV

Details

Aliases:GWV, Gnutella
Category:Malware
Type:Worm
Platform:VBS

Summary



VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:GWV.A

When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.

  Gnutella Worm v1.1.vbs
 Napster Metallica Crack.vbs
 Jenna Jameson movie listing.vbs
 Santana.vbs
 Pamela Anderson movie listing.vbs
 NSync.vbs
 Asia Carerra movie listing.vbs
 Nirvana.mp3.vbs
 xxx FTP movie listing.vbs
 Shania Twain.mp3.vbs
 ASF Compressor (No quality loss).vbs
 Jesus loves you.vbs
 collegesex.vbs
 Gnutella upgrade.vbs
 Gladiator.vbs
 OFFICIAL Gnutella Option Pack.vbs
 Battlefield Earth.vbs
 Alicia Silverstone.vbs
 Evangelion complete episodes scripts.vbs
 Pearl Jam.vbs
 Scan Master checklist.vbs
 How to eat p***y.vbs
 Mp3 compressor (Half the size but same quality).vbs

Gnutella installation directory is usually "C:\Program Files\gnutella".

The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.

Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:

  Generation #: 8
 Victim ID: 4021986573E3D41194EE0000F879A4F0
 Infection date: 31.5.2000, 12:05:01
 If I was a naughty boy, I could use scripting to get name, email, whatever file I want.

The worm holds the infection date and the generation number in the virus code as well.

The code contains the following commented text:

  (Gnutella Worm Victim :)

The worm's name "VBS/GWV" comes from this text.


Variant:GWV.B

This variant is similar to VBS/GWV.A. However, it uses a different set of file names:

  Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs
 NapsterMetallicaCrack.zip.vbs
 JennaJamesonmovie.asf.vbs
 Santana.mp3.vbs
 PamelaAndersonmovie.mov.vbs
 NSync.mp3.vbs
 AsiaCarerramovie.avi.vbs
 Nirvana.mp3.vbs
 xxxFTPmovie.mov.vbs
 ShaniaTwain.mp3.vbs
 ASFCompressor(Noqualityloss).zip.vbs
 Jesuslovesyou.txt.vbs
 collegesex.jpg.vbs
 GnutellaUpgrade.zip.vbs
 Gladiator.jpg.vbs
 OFFICIALGnutellaOptionPack.ZIP.vbs
 Battlefield Earth.asf.vbs
 AssF**king Collage Teens 15 Girls.asf.vbs
 Evangelioncompleteepisodesscripts.txt.vbs
 ScanMaster.jpg.vbs
 How to eat p***y.avi.vbs
 AliciaSilverstone.jpg.vbs
 PearlJam.mp3.vbs
 Mp3compressor(Halfthesizebutsamequality).zip.vbs

The text file that it creates is different as well:

  Generation #: 3
 Victim ID: 20E1BD998DDED411B61700C04F711BC7
 Infection date: 5/30/00, 12:18:20 PM
 Thanks, Guinnea Pig!.




Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More