1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. GWV

GWV

ALIAS:Gnutella

Summary

VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.

Additional Details

VARIANT:GWV.A


When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names. 

    Gnutella Worm v1.1.vbs
    Napster Metallica Crack.vbs
    Jenna Jameson movie listing.vbs
    Santana.vbs
    Pamela Anderson movie listing.vbs
    NSync.vbs
    Asia Carerra movie listing.vbs
    Nirvana.mp3.vbs
    xxx FTP movie listing.vbs
    Shania Twain.mp3.vbs
    ASF Compressor (No quality loss).vbs
    Jesus loves you.vbs
    collegesex.vbs
    Gnutella upgrade.vbs
    Gladiator.vbs
    OFFICIAL Gnutella Option Pack.vbs
    Battlefield Earth.vbs
    Alicia Silverstone.vbs
    Evangelion complete episodes scripts.vbs
    Pearl Jam.vbs
    Scan Master checklist.vbs
    How to eat p***y.vbs
    Mp3 compressor (Half the size but same quality).vbs

Gnutella installation directory is usually "C:\Program Files\gnutella".

The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.

Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example: 

    Generation #: 8
    Victim ID: 4021986573E3D41194EE0000F879A4F0
    Infection date: 31.5.2000, 12:05:01
    If I was a naughty boy, I could use scripting to get name, email, whatever file I want.

The worm holds the infection date and the generation number in the virus code as well.

The code contains the following commented text: 

    (Gnutella Worm Victim :)

The worm's name "VBS/GWV" comes from this text.

VARIANT:GWV.B


This variant is similar to VBS/GWV.A. However, it uses a different set of file names: 

    Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs
    NapsterMetallicaCrack.zip.vbs
    JennaJamesonmovie.asf.vbs
    Santana.mp3.vbs
    PamelaAndersonmovie.mov.vbs
    NSync.mp3.vbs
    AsiaCarerramovie.avi.vbs
    Nirvana.mp3.vbs
    xxxFTPmovie.mov.vbs
    ShaniaTwain.mp3.vbs
    ASFCompressor(Noqualityloss).zip.vbs
    Jesuslovesyou.txt.vbs
    collegesex.jpg.vbs
    GnutellaUpgrade.zip.vbs
    Gladiator.jpg.vbs
    OFFICIALGnutellaOptionPack.ZIP.vbs
    Battlefield Earth.asf.vbs
    AssF**king Collage Teens 15 Girls.asf.vbs
    Evangelioncompleteepisodesscripts.txt.vbs
    ScanMaster.jpg.vbs
    How to eat p***y.avi.vbs
    AliciaSilverstone.jpg.vbs
    PearlJam.mp3.vbs
    Mp3compressor(Halfthesizebutsamequality).zip.vbs

The text file that it creates is different as well: 

    Generation #: 3
    Victim ID: 20E1BD998DDED411B61700C04F711BC7
    Infection date: 5/30/00, 12:18:20 PM
    Thanks, Guinnea Pig!.

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]