VBS worm targets Gnutella users

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2581605,00.html

By Robert Lemos, ZDNN
June 2, 2000 5:04 PM PT

An unknown author has created a worm aimed at infecting Gnutella
users.

Possibly malicious in intent, but benign in reality, the worm uses the
Visual Basic Script language to store itself on an infected computer
in 23 different files named, for example, Pamela Anderson movie
listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica
Crack.vbs and NSync.vbs.

The worm can only spread to computers whose users execute the code by
double-clicking on the file.

Anti-virus firm Trend Micro Inc. had not had any reports of public
infections, but had posted an alert about the worm, which it calls
VBS_GNUTELWORM, on May 31. The worm contains a simpler name, Gnutella
Worm v1.1.

Akin to Napster Gnutella is a free, distributed network for exchanging
files, similar -- but technically different -- to Napster. While the
network can be used to exchange any files, most files are pirated
copies of music and software or porn.

"This is only going to affect people using the system," said Dan
Schrader, chief security analyst for Trend. "This is not going to have
a big impact on corporate America."

However, Gnutella users reported that numerous host computers had
already been infected by their users clicking on the files.

By late Friday afternoon, ZDNet News could only confirm two infections
by searching for the name of a specific file that the worm copies to
the victim's hard drive.

By refusing to download -- and open -- VBS files, users of Gnutella
can avoid infection.

Don't open those files The worm targets Gnutella by changing the
gnutella.ini file to accept Visual Basic Script files and places the
23 Trojan files in the Gnutella download directory so that others on
the network may find them.

The worm also creates a "victim" file with some statistics on what
generation of the worm infected the user and on what date. One file
found by ZDNet News listed itself as the 12th generation and infected
the computer at 10 a.m. on May 31.

In addition, the worm copies a warning from its author to users of
Gnutella: "If I was a naughty boy, I could use scripting to get name,
email, whatever file I want."

Because users have to actively search for the files -- rather than
have an infected file delivered to it as in the "ILOVEYOU" worm -- the
rate of infection will be low and the worm should not spread widely.

A breach of trust? But copycats based on the worm could prove to be
more than the academic threat that this current worm poses.

For now, the greatest casualty seems to be the trust between users of
Gnutella, said Schrader.

"It is another one of these worms that is eroding the trust
relationship that these new distribution systems are based on," he
said.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".