Skip to main content /TECH with /TECH


Peer-to-peer virus hits Gnutella users

Network World Fusion

(IDG) -- File swapping on the Internet hit a sour note Tuesday with the appearance of a virus that attacks users of the Gnutella file-sharing service and that several security software vendors say is the first virus to affect peer-to-peer (P2P) communications.

Named W32/Gnuman.worm, or by the alias "Mandragore," the malicious file poses as an ordinary, requested media file. This masked file, however, is actually an EXE file that infects a user's computer once the program is run, according to statements from several anti-virus software vendors.


After it infects a computer, the virus cloaks itself for other Gnutella users, leading them also to believe that it is actually an MP3 music file or an image file. Every time a Gnutella user searches for media files in the infected computer, the virus will always appear as an answer to the request. If, for example, a user looked for songs containing the word "happy," the infected computer would return "happy.exe" as a response to the query, vendors said.

Officials at McAfee -- a division of security specialist Network Associates -- discovered the virus Monday but have yet to identify its origin. McAfee said it is a low-risk threat at this point, due to the fact that only users running Gnutella-compatible software -- such as Gnotella, BearShare, LimeWire or ToadNode -- will be affected and because the virus does not cause much harm. Confidential information and crucial files should not be affected, vendors said. Computer Associates International, Sophos and Kaspersky Labs all issued information on the virus Tuesday. INFOCENTER
Related Stories
Visit an IDG site search

While the virus does little damage other than taking up extra system resources, McAfee officials warn that it could open the way for attacks on Napster -- the most popular P2P service -- and on P2P applications in general.

"This could be the testing ground for something else to come," said Vincent Gullotto, senior director at McAfee's Avert (Anti-Virus Emergency Response Team) labs. "It highlights the potential vulnerabilities in peer-to-peer computing."

A student sent information on the virus to McAfee, but the anti-virus vendor has yet to hear many complaints. Gullotto, however, warns that it could set a precedent for users looking to attack P2P networks and particularly for those with a dislike for Napster's success.

In a worst-case scenario, a virus writer could create a way for a program to scan a user's hard drive for MP3 files or a shared folder and delete all of the content in that folder. Users might then lose hundreds of files.

"If you had something like that and ran it, there is no telling what it could do," Gullotto said.

McAfee still thinks e-mail will remain the most effective way for the transmission of viruses for some time. While Napster claims over 50 million users, the company's applications have not reached the popularity of e-mail, limiting the number of people who can be affected.

"I think e-mail is still somewhat the key for distribution," Gullotto said. "But a virus like this does have the potential to be very damaging once more and more people begin using P2P computing."

After infecting a computer, the virus copies itself to the Windows startup folder with the name "GSPOT.exe" and applies "system" and "hidden" attributes to this file This causes the damaging code to remain in and control a computer's system memory each time the machine is restarted.

The file is 8,192 bytes in length and should not be opened if offered on the Gnutella network. Most anti-virus vendors have already released software updates to take care of the file.

Security experts: Virus proves systems still vulnerable
February 19, 2001
Kournikova virus slams U.S., Europe, misses Asia
February 13, 2001
New e-mail virus preys on Anna Kournikova fans
February 12, 2001
MTX virus gaining speed in unusual ways
December 1, 2000
Experts predict more mutating viruses
October 31, 2000
How a computer virus works
October 23, 2000
Virus protection coming for wireless users
October 19, 2000

Understanding viruses
Alleged Anna Kournikova worm writer steps forward
Are you vulnerable to hackers?
UPDATE: Sun warns of security hole in Java
(IDG News Service -
Symantec to offer SMS notification of viruses
(IDG News Service -
Opinion : How to avoid antivirus software and survive
(IDG News Service -
Virus proves users, systems still vulnerable, security experts say
And you thought Napster was bad
(Network World Fusion)

AVERT: Anti-Virus Emergency Response Team
McAfee Anti-Virus Clinic

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top