Gnutella worm finds new way to squirm into PCs

Although not damaging, the worm is a blueprint for virus writers who want to use peer-to-peer swapping services to spread their creations.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A so-called proof-of-concept worm started spreading over the weekend among the PCs of people using the peer-to-peer file-swapping protocol known as Gnutella.

The computer worm was likely created to prove that viruses can spread among computers connected to peer-to-peer networks.

The worm acts as a superficial chameleon, taking the name of whichever file a person requests. Although its name changes, people who use the Gnutella network can easily spot the worm by its constant size: 8,192 bytes.

That makes it unlikely that the virus will spread very quickly, said Vincent Gullotto, director of antivirus research at security software maker Network Associates. "Its ability to spread on a mass scale quickly is not going to be there," he said. "There's still going to have to be some kind of social engineering involved in it."

Gullotto said that Network Associates has had no reports of the worm from its customers as of Monday afternoon.

The worm appeared over the weekend, said Ben Houston, a student in computer science at Carleton University who has been tracking the virus.

As a proof-of-concept worm, it could open up peer-to-peer networks as another vector for computer viruses to spread.

Similar to viruses such as Hybris and Happy99, the Gnutella worm infects a PC and then monitors a computer's network connection.

Hybris and Happy99 watch for e-mail addresses; this worm looks for Gnutella connections. When the PC's owner connects to the Gnutella network, the worm looks for file requests--most commonly music files--and sends back a positive match. Other people will seemingly see the file they want on the victim's computer for any request they send.

The act of changing its form to fool potential victims makes the worm a Trojan horse. For example, searching for text that wouldn't normally be found in a song title such as "imavirus" will find several files called imavirus.exe. A search by CNET News.com found six infected PCs that gave a positive response.

Imavirus screenshot Although the low response rate indicates that the worm has not spread far, the fact that a single infected PC responds to every request makes it appear as though the Trojan horse has massively infected a computer.

"What the heck are with these 8kb files? They're everywhere!" wrote one Gnutella user to the alt.gnutella newsgroup on Monday.

This mechanism for infecting other computers--or at least convincing people to download the worm--had been discussed in a security advisory posted to the Bugtraq security list last May.

Soon after the posting, a Trojan horse aimed at peer-to-peer networks appeared and quickly failed to spread. Known as VBS/Gnutella, the virus posed as one of 23 files commonly downloaded through such services.

The latest virus can pose as any search term, but limits itself to the Gnutella network.