Threat Description

GWV

Details

Aliases: GWV, Gnutella
Category: Malware
Type: Worm
Platform: VBS

Summary


VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details



Variant:GWV.A

When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.

  Gnutella Worm v1.1.vbs     Napster Metallica Crack.vbs     Jenna Jameson movie listing.vbs     Santana.vbs     Pamela Anderson movie listing.vbs     NSync.vbs     Asia Carerra movie listing.vbs     Nirvana.mp3.vbs     xxx FTP movie listing.vbs     Shania Twain.mp3.vbs     ASF Compressor (No quality loss).vbs     Jesus loves you.vbs     collegesex.vbs     Gnutella upgrade.vbs     Gladiator.vbs     OFFICIAL Gnutella Option Pack.vbs     Battlefield Earth.vbs     Alicia Silverstone.vbs     Evangelion complete episodes scripts.vbs     Pearl Jam.vbs     Scan Master checklist.vbs     How to eat p***y.vbs     Mp3 compressor (Half the size but same quality).vbs  

Gnutella installation directory is usually "C:\Program Files\gnutella".

The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.

Finally the worm creates a text file, "Yet Another GWV! xxxxxxxxxx.zip" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:

  Generation #: 8     Victim ID: 4021986573E3D41194EE0000F879A4F0     Infection date: 31.5.2000, 12:05:01     If I was a naughty boy, I could use scripting to get name, email, whatever file I want.  

The worm holds the infection date and the generation number in the virus code as well.

The code contains the following commented text:

  (Gnutella Worm Victim :)  

The worm's name "VBS/GWV" comes from this text.


Variant:GWV.B

This variant is similar to VBS/GWV.A. However, it uses a different set of file names:

  Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs     NapsterMetallicaCrack.zip.vbs     JennaJamesonmovie.asf.vbs     Santana.mp3.vbs     PamelaAndersonmovie.mov.vbs     NSync.mp3.vbs     AsiaCarerramovie.avi.vbs     Nirvana.mp3.vbs     xxxFTPmovie.mov.vbs     ShaniaTwain.mp3.vbs     ASFCompressor(Noqualityloss).zip.vbs     Jesuslovesyou.txt.vbs     collegesex.jpg.vbs     GnutellaUpgrade.zip.vbs     Gladiator.jpg.vbs     OFFICIALGnutellaOptionPack.ZIP.vbs     Battlefield Earth.asf.vbs     AssF**king Collage Teens 15 Girls.asf.vbs     Evangelioncompleteepisodesscripts.txt.vbs     ScanMaster.jpg.vbs     How to eat p***y.avi.vbs     AliciaSilverstone.jpg.vbs     PearlJam.mp3.vbs     Mp3compressor(Halfthesizebutsamequality).zip.vbs  

The text file that it creates is different as well:

  Generation #: 3     Victim ID: 20E1BD998DDED411B61700C04F711BC7     Infection date: 5/30/00, 12:18:20 PM     Thanks, Guinnea Pig!.  




Technical Details:Katrin Tocheva and Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More