Threat description




VBS/GWV is a polymorphic worm that is able to spread via Gnutella, a file sharing application.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details


When the worm is executed, it creates a several copies of itself to the Gnutella installation directory with different file names.

  Gnutella Worm v1.1.vbs     Napster Metallica Crack.vbs     Jenna Jameson movie listing.vbs     Santana.vbs     Pamela Anderson movie listing.vbs     NSync.vbs     Asia Carerra movie listing.vbs     Nirvana.mp3.vbs     xxx FTP movie listing.vbs     Shania Twain.mp3.vbs     ASF Compressor (No quality loss).vbs     Jesus loves you.vbs     collegesex.vbs     Gnutella upgrade.vbs     Gladiator.vbs     OFFICIAL Gnutella Option Pack.vbs     Battlefield Earth.vbs     Alicia Silverstone.vbs     Evangelion complete episodes scripts.vbs     Pearl Jam.vbs     Scan Master checklist.vbs     How to eat p***y.vbs     Mp3 compressor (Half the size but same quality).vbs  

Gnutella installation directory is usually "C:\Program Files\gnutella".

The worm alters the "gnutella.ini" file from the same directory by adding the ".vbs" extension to the list of allowed extensions and by adding the Gnutella installation directory to the list of shared directories.

Finally the worm creates a text file, "Yet Another GWV!" where the "xxxxxxxxxx" is a hexadecimal number that is unique in each Gnutella installation. This text file contains the infection date, the generation number and the unique number mentioned above, for example:

  Generation #: 8     Victim ID: 4021986573E3D41194EE0000F879A4F0     Infection date: 31.5.2000, 12:05:01     If I was a naughty boy, I could use scripting to get name, email, whatever file I want.  

The worm holds the infection date and the generation number in the virus code as well.

The code contains the following commented text:

  (Gnutella Worm Victim :)  

The worm's name "VBS/GWV" comes from this text.


This variant is similar to VBS/GWV.A. However, it uses a different set of file names:

  Gnutella Worm v1.2 By LeGaLiZeBuDzNew.vbs     JennaJamesonmovie.asf.vbs     Santana.mp3.vbs     NSync.mp3.vbs     AsiaCarerramovie.avi.vbs     Nirvana.mp3.vbs     ShaniaTwain.mp3.vbs     ASFCompressor(Noqualityloss).zip.vbs     Jesuslovesyou.txt.vbs     collegesex.jpg.vbs     Gladiator.jpg.vbs     OFFICIALGnutellaOptionPack.ZIP.vbs     Battlefield Earth.asf.vbs     AssF**king Collage Teens 15 Girls.asf.vbs     Evangelioncompleteepisodesscripts.txt.vbs     ScanMaster.jpg.vbs     How to eat p***y.avi.vbs     AliciaSilverstone.jpg.vbs     PearlJam.mp3.vbs     Mp3compressor(Halfthesizebutsamequality).zip.vbs  

The text file that it creates is different as well:

  Generation #: 3     Victim ID: 20E1BD998DDED411B61700C04F711BC7     Infection date: 5/30/00, 12:18:20 PM     Thanks, Guinnea Pig!.  

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info