ARCHIVED: What is the Gnutella worm, and how do I remove it?
What is the Gnutella worm?
Also known as W32/Gnuman.worm and Mandragore, the Gnutella worm only affects users of the Gnutella application, which is a file-sharing technology.
To become infected, you make a request for a file, to which the worm
responds. It poses as an ordinary requested media file, but in reality
it is a .exe
file. When you run the .exe
file, it copies itself into the Gnutella program folder. It modifies
the gnutella.ini
file to accept .vbs
files,
copies 23 Trojan files to the Gnutella download directory, and then
deletes itself. The Trojan files cloak themselves to always appear as
an answer to a request whenever you search for files on the infected
computer. For example, if you search an infected computer for a song
with the word "sunrise" in it, the computer will respond to the
request with an infected file called sunrise.exe
. The
worm also creates a text file on your hard drive called Yet
another GWV!(clientidxxx).zip
(where xxx
is a
number).
How to avoid the Gnutella worm
The Gnutella worm has a consistent size of 8,192 bytes, which makes it easy to spot and thus avoid. Other tips for avoiding the worm are:
- Turn off Windows Scripting Host.
- Don't open
.vbs
files. - If you have antivirus software, keep it updated and scan your computer regularly. For help keeping virus patterns current, see the Knowledge Base document ARCHIVED: For Symantec virus protection software, what are my options for updating the virus definitions? For help scanning Windows computers for viruses, see the Knowledge Base document ARCHIVED: Using Symantec/Norton AntiVirus Corporate Edition, how do I immediately scan a file, folder, or drive for viruses? For help scanning Mac OS computers for viruses, see the Knowledge Base document ARCHIVED: Using Norton AntiVirus for Mac OS or Mac OS X, how do I immediately scan a file, folder, or drive for viruses?
- If you don't already have it, install virus protection
software. At Indiana University, you can install Norton/Symantec
AntiVirus Corporate Edition (NAV CE) from IUware at the following
URL:
http://iuware.iu.edu/
How to remove the Gnutella worm
If you have an updated version of NAV, it will remove the worm. Alternatively, you may follow these instructions:
- From within your Gnutella directory, delete the file titled
Yet another GWV!(clientidxxx).zip
(wherexxx
is a number). - Still within the Gnutella directory, delete all occurrences of
files with a
.vbs
extension. - Launch Gnutella and check the directories that you share. The worm adds the Gnutella directory to this list, so you will need to delete this directory from the list.
- Check out the file extensions list, and remove all occurrences of
.vbs
files.
Note: These instructions come from a page maintained by Jamie McHale at BTinternet.com. You can see the article in its entirety at:
http://www.btinternet.com/~wildfire/gnutella/vbsworm.htm
The threat from this worm is considered mild, as it isn't malicious and only takes up extra system resources. Also, removal is considered easy. However, antivirus officials worry that it will open the door to attacks on file-sharing technologies. Most antivirus distributors have already released software updates to deal with this worm.
For more information, visit:
http://www.symantec.com/avcenter/venc/data/w32.gnuman.worm.html http://www.commandsoftware.com/virus/gnutella.html http://zdnet.com.com/2110-11-528470.html
This is document ajku in the Knowledge Base.
Last modified on 2018-01-18 13:06:01.