GWV

Threat description

Details

CATEGORYMalware
TYPEWorm

Summary

VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


Variant:GWV.A

When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.

Gnutella Worm v1.1.vbs

 Napster Metallica Crack.vbs

 Jenna Jameson movie listing.vbs

 Santana.vbs

 Pamela Anderson movie listing.vbs

 NSync.vbs

 Asia Carerra movie listing.vbs

 Nirvana.mp3.vbs

 xxx FTP movie listing.vbs

 Shania Twain.mp3.vbs

 ASF Compressor (No quality loss).vbs

 Jesus loves you.vbs

 collegesex.vbs

 Gnutella upgrade.vbs

 Gladiator.vbs

 OFFICIAL Gnutella Option Pack.vbs

 Battlefield Earth.vbs

 Alicia Silverstone.vbs

 Evangelion complete episodes scripts.vbs

 Pearl Jam.vbs

 Scan Master checklist.vbs

 How to eat p***y.vbs

 Mp3 compressor (Half the size but same quality).vbs

Gnutella installation directory is usually "C:\Program Files\gnutella".

The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.

Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:

Generation #: 8

 Victim ID: 4021986573E3D41194EE0000F879A4F0

 Infection date: 31.5.2000, 12:05:01

 If I was a naughty boy, I could use scripting to get name, email, whatever file I want.

The worm holds the infection date and the generation number in the virus code as well.

The code contains the following commented text:

(Gnutella Worm Victim :)

The worm's name "VBS/GWV" comes from this text.


Variant:GWV.B

This variant is similar to VBS/GWV.A. However, it uses a different set of file names:

Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs

 NapsterMetallicaCrack.zip.vbs

 JennaJamesonmovie.asf.vbs

 Santana.mp3.vbs

 PamelaAndersonmovie.mov.vbs

 NSync.mp3.vbs

 AsiaCarerramovie.avi.vbs

 Nirvana.mp3.vbs

 xxxFTPmovie.mov.vbs

 ShaniaTwain.mp3.vbs

 ASFCompressor(Noqualityloss).zip.vbs

 Jesuslovesyou.txt.vbs

 collegesex.jpg.vbs

 GnutellaUpgrade.zip.vbs

 Gladiator.jpg.vbs

 OFFICIALGnutellaOptionPack.ZIP.vbs

 Battlefield Earth.asf.vbs

 AssF**king Collage Teens 15 Girls.asf.vbs

 Evangelioncompleteepisodesscripts.txt.vbs

 ScanMaster.jpg.vbs

 How to eat p***y.avi.vbs

 AliciaSilverstone.jpg.vbs

 PearlJam.mp3.vbs

 Mp3compressor(Halfthesizebutsamequality).zip.vbs

The text file that it creates is different as well:

Generation #: 3

 Victim ID: 20E1BD998DDED411B61700C04F711BC7

 Infection date: 5/30/00, 12:18:20 PM

 Thanks, Guinnea Pig!.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info