Information Security News mailing list archives
VBS worm targets Gnutella users
From: William Knowles <wk () C4I ORG>
Date: Sun, 4 Jun 2000 12:33:53 -0500
http://www.zdnet.com/zdnn/stories/news/0,4586,2581605,00.html By Robert Lemos, ZDNN June 2, 2000 5:04 PM PT An unknown author has created a worm aimed at infecting Gnutella users. Possibly malicious in intent, but benign in reality, the worm uses the Visual Basic Script language to store itself on an infected computer in 23 different files named, for example, Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs. The worm can only spread to computers whose users execute the code by double-clicking on the file. Anti-virus firm Trend Micro Inc. had not had any reports of public infections, but had posted an alert about the worm, which it calls VBS_GNUTELWORM, on May 31. The worm contains a simpler name, Gnutella Worm v1.1. Akin to Napster Gnutella is a free, distributed network for exchanging files, similar -- but technically different -- to Napster. While the network can be used to exchange any files, most files are pirated copies of music and software or porn. "This is only going to affect people using the system," said Dan Schrader, chief security analyst for Trend. "This is not going to have a big impact on corporate America." However, Gnutella users reported that numerous host computers had already been infected by their users clicking on the files. By late Friday afternoon, ZDNet News could only confirm two infections by searching for the name of a specific file that the worm copies to the victim's hard drive. By refusing to download -- and open -- VBS files, users of Gnutella can avoid infection. Don't open those files The worm targets Gnutella by changing the gnutella.ini file to accept Visual Basic Script files and places the 23 Trojan files in the Gnutella download directory so that others on the network may find them. The worm also creates a "victim" file with some statistics on what generation of the worm infected the user and on what date. One file found by ZDNet News listed itself as the 12th generation and infected the computer at 10 a.m. on May 31. In addition, the worm copies a warning from its author to users of Gnutella: "If I was a naughty boy, I could use scripting to get name, email, whatever file I want." Because users have to actively search for the files -- rather than have an infected file delivered to it as in the "ILOVEYOU" worm -- the rate of infection will be low and the worm should not spread widely. A breach of trust? But copycats based on the worm could prove to be more than the academic threat that this current worm poses. For now, the greatest casualty seems to be the trust between users of Gnutella, said Schrader. "It is another one of these worms that is eroding the trust relationship that these new distribution systems are based on," he said. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- VBS worm targets Gnutella users William Knowles (Jun 05)