Security Incidents mailing list archives

Re: New gnutella worm found in the wild.

From: David Bailey <davidabailey () WORLDNET ATT NET>
Date: Sun, 23 Jul 2000 20:49:12 -0700

I sure am glad I keep my virus checker updated. The file was attached (now
quarantined, file was "Santana.vbs). Here are some links for the write-up:
http://vil.nai.com/villib/dispVirus.asp?virus_k=98666
http://europe.datafellows.com/v-descs/gwv.htm
http://www.symantec.com/avcenter/venc/data/vbs.gnutella.html. What REALLY
bothers me is that Symantec lists it like this (though not their fault):
Number of infections: 0-49
Number of sites: 3-9
Geographic distribution: Medium
Threat containment: Easy
Removal: Easy
Now think of it like this - How many members on this mailing list got it?
Wanna bet the number of infections have gone up? Maybe it is just me, why
send a KNOWN virus to a mailing list? Why not just let people know that you
got hit with it instead of sending it to the list? Sorry for blowing up.
But, with all the viruses running around and uneducated (or caring) users
that will click on anything, I just don't think it was a good thing to do.
Again, sorry for venting to the list but someone had to do it.

David Bailey
To contact me, Try one of the following:
you have my e-mail or ICQ: 36834226/Bit4Byte


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Matt Merhar
Sent: Friday, July 21, 2000 10:35 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: New gnutella worm found in the wild.


Hi,
   I recently saw this file up for grabs (July 22, 1AM) on the gnutella
filesharing network. Attached is the source of what seems to be a
non-destructive, self-replicating 'worm' which has already spread quite
rapidly around the gnutella network. It also appears to be semi-polymorphic,
as it changes it's filename to the names in an array called NewFilenames.
The contents of it are as follows:
NewFilenames    = Array(ProgramName & ".vbs", "Jenna Jameson movie
listing.vbs", "Pamela Anderson movie listing.vbs", "Asia Carerra movie
listing.vbs", "xxx FTP movie listing.vbs", "ASF Compressor (No quality
loss).vbs", "collegesex.vbs", "Gladiator.vbs", "Battlefield Earth.vbs",
"Evangelion complete episodes scripts.vbs", "Scan Master checklist.vbs",
"How to eat pussy.vbs", "Alicia Silverstone.vbs", "Pearl Jam.vbs", "Mp3
compressor (Half the size but same quality).vbs", "Napster Metallica
Crack.vbs", "Santana.vbs", "NSync.vbs", "Nirvana.mp3.vbs", "Shania
Twain.mp3.vbs", "Jesus loves you.vbs", "Gnutella upgrade.vbs", "OFFICIAL
Gnutella Option Pack.vbs")

   -Matt


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Current thread:

New gnutella worm found in the wild. Matt Merhar (Jul 21)
- Re: New gnutella worm found in the wild. David Bailey (Jul 24)
  - Automated SSH scanning John Kristoff (Jul 24)
    - Re: Automated SSH scanning Sean Dalnodar (Jul 25)
  - Re: New gnutella worm found in the wild. Jeff Palmer (Jul 24)
    - Message not available
    - Re: New gnutella worm found in the wild. Jeff Palmer (Jul 26)