Classification

Category: Malware

Type: Worm

Aliases: GWV, Gnutella

Summary


VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details



Variant:GWV.A

When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.

Gnutella Worm v1.1.vbs

 Napster Metallica Crack.vbs

 Jenna Jameson movie listing.vbs

 Santana.vbs

 Pamela Anderson movie listing.vbs

 NSync.vbs

 Asia Carerra movie listing.vbs

 Nirvana.mp3.vbs

 xxx FTP movie listing.vbs

 Shania Twain.mp3.vbs

 ASF Compressor (No quality loss).vbs

 Jesus loves you.vbs

 collegesex.vbs

 Gnutella upgrade.vbs

 Gladiator.vbs

 OFFICIAL Gnutella Option Pack.vbs

 Battlefield Earth.vbs

 Alicia Silverstone.vbs

 Evangelion complete episodes scripts.vbs

 Pearl Jam.vbs

 Scan Master checklist.vbs

 How to eat p***y.vbs

 Mp3 compressor (Half the size but same quality).vbs

Gnutella installation directory is usually "C:\Program Files\gnutella".

The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.

Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:

Generation #: 8

 Victim ID: 4021986573E3D41194EE0000F879A4F0

 Infection date: 31.5.2000, 12:05:01

 If I was a naughty boy, I could use scripting to get name, email, whatever file I want.

The worm holds the infection date and the generation number in the virus code as well.

The code contains the following commented text:

(Gnutella Worm Victim :)

The worm's name "VBS/GWV" comes from this text.


Variant:GWV.B

This variant is similar to VBS/GWV.A. However, it uses a different set of file names:

Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs

 NapsterMetallicaCrack.zip.vbs

 JennaJamesonmovie.asf.vbs

 Santana.mp3.vbs

 PamelaAndersonmovie.mov.vbs

 NSync.mp3.vbs

 AsiaCarerramovie.avi.vbs

 Nirvana.mp3.vbs

 xxxFTPmovie.mov.vbs

 ShaniaTwain.mp3.vbs

 ASFCompressor(Noqualityloss).zip.vbs

 Jesuslovesyou.txt.vbs

 collegesex.jpg.vbs

 GnutellaUpgrade.zip.vbs

 Gladiator.jpg.vbs

 OFFICIALGnutellaOptionPack.ZIP.vbs

 Battlefield Earth.asf.vbs

 AssF**king Collage Teens 15 Girls.asf.vbs

 Evangelioncompleteepisodesscripts.txt.vbs

 ScanMaster.jpg.vbs

 How to eat p***y.avi.vbs

 AliciaSilverstone.jpg.vbs

 PearlJam.mp3.vbs

 Mp3compressor(Halfthesizebutsamequality).zip.vbs

The text file that it creates is different as well:

Generation #: 3

 Victim ID: 20E1BD998DDED411B61700C04F711BC7

 Infection date: 5/30/00, 12:18:20 PM

 Thanks, Guinnea Pig!.