Gnutella worm threatens music lovers

Users of Napster rival Gnutella are being exposed to a new worm that is threatening to infect their machines after gaining entry disguised as a song file.

The worm, known as Mandragore and GnutellaMandragore, spreads by monitoring file searches on the Gnutella system and changing its name to whatever the user is looking for. For example, if a user is looking for a song by US teen sensation Britney Spears the virus will disguise itself as one of her songs in the hope that users will download it, and infect their machines. Anti-virus specialist F-Secure has issued a level 2 security alert over the virus - the second most serious warning it can issue. Current examples of the worm are not yet programmed to erase files, though they may cause nodes to become overloaded. Jack Clark, spokesman for anti-virus company Network Associates, said: "It's about concept more than actual damage, but it should remind everyone that wherever people are sharing files there could be a malicious pair of eyes watching." At present the virus is relatively easily detected because the files are always the same size, 8,192 bytes, which is far too short for a song file. However, this is not a failsafe way of detecting it, warns Jason Holloway, general manager UK at F-Secure. He said "It would be relatively easy to alter it and make the file bigger." Holloway suggested weaknesses within Gnutella's code may be a likely source of blame. "I would suggest this is taking advantage of some flaw in the Gnutella code that allows a file to masquerade as anything the user asks for," he said. "Either way there isn't a similar flaw in Napster, or at least they haven't found one." Gnutella is expected to become increasingly popular if and when Napster is shut down. Newsgroups are already reporting a surge in Gnutella activity. A similar worm, which was built in Visual Basic, spread around the Gnutella community last summer.