Gnutella viruses weaker than email bugs, experts say

Dubbed "Gnutella Worm" by its anonymous creator, the two-week-old program was apparently designed to highlight the dangers of viruses in the networks that hundreds of thousands of people are using to trade MP3 music, videos and other files.

What it's shown might be just the opposite: that the dangers of explosive viruses on Gnutella, Napster and other file-sharing networks are slim, and that the programs are probably safer than the average email in-box.

"This doesn't have the ability to explode and send itself to hundreds of people in minutes," said Dan Schrader, chief security analyst for Trend Micro. "It's an interesting distraction, but not as dangerous as the things we expect to see over the next few months."

The issue of security inside the fast-growing file-sharing networks has been a looming question mark as hundreds of thousands of people begin downloading programs online. Napster, Gnutella and other similar programs allow computer users to open their hard drives directly to one another, without any way of verifying other people's identities or intentions.

The Napster music-swapping network keeps malicious behavior to a minimum by limiting the types of files that can be traded over the network largely to MP3 music and Windows Media files. Hackers have created ways to trade other types of files using a masking technology dubbed "Wrapster," but the vast majority of files on Napster are still music-related.

This helps protect people's PCs from infection, as viruses haven't yet found their way into MP3 files, and virus researchers say this will be a difficult or even impossible task for virus writers.

Other systems such as Gnutella or Hotline, which allow the swapping of any types of files, do allow viruses to be spread more easily. But that's the case with any system in which two people exchange files, whether it's people sharing a disk or the Internet itself, file-swapping proponents say.

"We can't prevent it. People should be wary when they open files," said Gene Kan, one of the loose coalition of programmers who have taken a lead in writing and propagating the open-source Gnutella program in recent weeks. "We can't go and hold their hands when they click their mouse."

The Gnutella Worm itself, apparently the first virus-like program to be loosed inside the new file-sharing communities, is relatively benign as viruses go.

The program lurks under one of 23 different aliases, such as "Gladiator.vbs," "Collegesex.vbs," or "Napster Metallica Crack.vbs."

If run, the virus copies itself under its many names into a file that is open to others though the Gnutella network. This makes it available for download onto another person's computer but doesn't activate any kind of automatic propagation.

It also activates an internal counter that keeps track of how many times a given copy of the virus has been copied and spread. In looking through several copies found online Friday and today, CNET News.com could find no "generation" count higher than 12, which virus experts said indicated a fairly slow rate of propagation for two weeks in the wild.

The code also contains a warning from the author. "If I was a naughty boy, I could use scripting to get name, email, whatever file I want," it reads.

This might be true, virus experts say. But even in the case of a more lethal virus, the danger that it would creep through file-sharing networks such as Gnutella likely wouldn't reach close to that posed by viruses attacking basic email programs such as Microsoft Outlook.

A message recently posted on the Security Focus Bugtraq mailing list warned of the potential of a worm that could respond to all Gnutella queries, instead of to a limited number of specific keywords.

Thus, if someone searched for "crack," it would respond with "crack.zip"; a search for "Madonna" would return "Madonna.zip."

"What is disturbing here is the combination of low accountability and trust of the individual (computers on the network)," wrote Bindview Razor security analyst Seth McGann. "Creating a self-propagating (worm) is trivial."

But the file-sharing worms would still actively require a computer user to download the virus and then activate it manually. That puts them in the same category as viruses that have been floating through Internet newsgroups and download Web sites for years--potentially dangerous, but preventable with a minimum of caution on the part of a computer user.

Web surfers should simply avoid clicking any file they've downloaded with a ".vbs" extension, which denotes a program written in the Visual Basic programming language. Microsoft Windows 98 can make it difficult to see this extension for some people, as it comes with this file extension viewing capability set in the "off" position. But virus experts say if there is any question, people simply shouldn't open files.

By contrast, email programs and Usenet readers allow viruses to be hidden inside HTML files, which are automatically triggered inside the program. If the viruses are like "Melissa" or the "I Love You" virus, they can then spread to hundreds of thousands of computers within hours of being released, using flaws in the email programs themselves to replicate.

All of these methods use the same method of appearing to come from a trusted source, whether it be an ordinary email contact or another person on the Gnutella network. And that's one of the most damaging features of the virus trend, researchers say.

"Viruses are whittling away at trust on the Net," Shrader said. "It's forcing everybody to be a bit more paranoid."