ARCHIVED: What is the Gnutella worm, and how do I remove it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

What is the Gnutella worm?

Also known as W32/Gnuman.worm and Mandragore, the Gnutella worm only affects users of the Gnutella application, which is a file-sharing technology.

To become infected, you make a request for a file, to which the worm responds. It poses as an ordinary requested media file, but in reality it is a .exe file. When you run the .exe file, it copies itself into the Gnutella program folder. It modifies the gnutella.ini file to accept .vbs files, copies 23 Trojan files to the Gnutella download directory, and then deletes itself. The Trojan files cloak themselves to always appear as an answer to a request whenever you search for files on the infected computer. For example, if you search an infected computer for a song with the word "sunrise" in it, the computer will respond to the request with an infected file called sunrise.exe. The worm also creates a text file on your hard drive called Yet another GWV!(clientidxxx).zip (where xxx is a number).

How to avoid the Gnutella worm

The Gnutella worm has a consistent size of 8,192 bytes, which makes it easy to spot and thus avoid. Other tips for avoiding the worm are:

Turn off Windows Scripting Host.
Don't open .vbs files.
If you have antivirus software, keep it updated and scan your computer regularly. For help keeping virus patterns current, see the Knowledge Base document ARCHIVED: For Symantec virus protection software, what are my options for updating the virus definitions? For help scanning Windows computers for viruses, see the Knowledge Base document ARCHIVED: Using Symantec/Norton AntiVirus Corporate Edition, how do I immediately scan a file, folder, or drive for viruses? For help scanning Mac OS computers for viruses, see the Knowledge Base document ARCHIVED: Using Norton AntiVirus for Mac OS or Mac OS X, how do I immediately scan a file, folder, or drive for viruses?
If you don't already have it, install virus protection software. At Indiana University, you can install Norton/Symantec AntiVirus Corporate Edition (NAV CE) from IUware at the following URL:
```
  http://iuware.iu.edu/
```

How to remove the Gnutella worm

If you have an updated version of NAV, it will remove the worm. Alternatively, you may follow these instructions:

From within your Gnutella directory, delete the file titled Yet another GWV!(clientidxxx).zip (where xxx is a number).
Still within the Gnutella directory, delete all occurrences of files with a .vbs extension.
Launch Gnutella and check the directories that you share. The worm adds the Gnutella directory to this list, so you will need to delete this directory from the list.
Check out the file extensions list, and remove all occurrences of .vbs files.

Note: These instructions come from a page maintained by Jamie McHale at BTinternet.com. You can see the article in its entirety at:

  http://www.btinternet.com/~wildfire/gnutella/vbsworm.htm

The threat from this worm is considered mild, as it isn't malicious and only takes up extra system resources. Also, removal is considered easy. However, antivirus officials worry that it will open the door to attacks on file-sharing technologies. Most antivirus distributors have already released software updates to deal with this worm.

For more information, visit:

  http://www.symantec.com/avcenter/venc/data/w32.gnuman.worm.html

  http://www.commandsoftware.com/virus/gnutella.html

  http://zdnet.com.com/2110-11-528470.html