VBS worm targets Gnutella users

It's little more than an irritant, but the Visual Basic Script worm forces Gnutella users to look before they download

An unknown author has created a worm aimed at infecting Gnutella users.

Possibly malicious in intent, but benign in reality, the worm uses the Visual Basic Script language to store itself on an infected computer in 23 different files named, for example, Pamela Anderson movie listing.vbs, collegesex.vbs, Battlefield Earth.vbs, Napster Metallica Crack.vbs and NSync.vbs.

The worm can only spread to computers whose users execute the code by double-clicking on the file.

Anti-virus firm Trend Micro had not had any reports of public infections, but had posted an alert about the worm, which it calls VBS_GNUTELWORM, on May 31. The worm contains a simpler name, Gnutella Worm v1.1.

Gnutella is a free, distributed network for exchanging files, similar -- but technically different -- to Napster. While the network can be used to exchange any files, most files are pirated copies of music and software or porn.

"This is only going to affect people using the system," said Dan Schrader, chief security analyst for Trend. "This is not going to have a big impact on corporate America."

However, Gnutella users reported that numerous host computers had already been infected by their users clicking on the files.

By late Friday afternoon, ZDNet News could only confirm two infections by searching for the name of a specific file that the worm copies to the victim's hard drive.

By refusing to download -- and open -- VBS files, users of Gnutella can avoid infection.

The worm targets Gnutella by changing the gnutella.ini file to accept Visual Basic Script files and places the 23 Trojan files in the Gnutella download directory so that others on the network may find them.

The worm also creates a "victim" file with some statistics on what generation of the worm infected the user and on what date. One file found by ZDNet News listed itself as the 12th generation and infected the computer at 10 a.m. on May 31.

In addition, the worm copies a warning from its author to users of Gnutella: "If I was a naughty boy, I could use scripting to get name, email, whatever file I want."

Because users have to actively search for the files -- rather than have an infected file delivered to it as in the "ILOVEYOU" worm -- the rate of infection will be low and the worm should not spread widely.

But copycats based on the worm could prove to be more than the academic threat that this current worm poses.

For now, the greatest casualty seems to be the trust between users of Gnutella, said Schrader.

"It is another one of these worms that is eroding the trust relationship that these new distribution systems are based on," he said.

In the light of the recent denial of serivce attacks and the ILOVEYOU virus John Dvorak worries that we ain't seen nothin' yet. Go with him to AnchorDesk UK for the news comment.

What do you think? Tell the Mailroom. And read what others have said.

Go to ZDNet's ILOVEYOU Special Report