Gnutella worm: How to deal with it
Published: 28 Feb 2001 10:22 GMT
When a virus writer succeeds at something new, the virus community calls it a "proof-of-concept" virus or worm. Gnuman (alias W32/GnutellaMan, Mandragore, GnutellaMandragore) is a proof-of-concept worm that only infects users of Gnutella and is not dangerous. The broader context of Gnuman is that future variations might be designed to infect other peer-to-peer (P2P) networks. Gnuman is different from another Gnutella worm detected in June of 2000.
Gnuman can pose as any file name, but always has a length of 8192 bytes. Very few antivirus software companies have reported users infected from Gnumen. Gnuman currently ranks as a 2 on the ZDNet Virus Metre.
How it works When a user of Gnutella searches for a file, the virus on an infected network node will respond with whatever the user is looking for. For example, if the user typed in SearchExample, the file found would be SearchExample.exe and it will have a size of 8192 bytes. Upon executing the downloaded file, the Gnutella user will become infected. Gnutella users can tell if they have been infected if there is a file called gspot.exe located in the Windows Startup folder. On Windows NT/2000 machines, gspot will install itself as a service.
Another characteristic of the worm is that normal Gnutella node queries and responses are handled through ports in the 6000s. Infected users of Gnutella will notice unusual traffic through port 99. Because the worm responds favourably to every request, the increased traffic can shut down some infected nodes.
Antivirus vendors such as Sophos have updated their signature files to detect and remove the Gnuman worm.
Prevention Here are the key steps for preventing the latest outbreak:
Save downloaded files to disk. Save to your downloaded file to a hard drive or disk, then scan the file for viruses before executing.
- Get protected If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these tip-top programs then following the installation instructions. If you're on a network, check with your network administrator first. If you're not sure if your existing antivirus software is up-to-date, scan your system for free to find out.
- Scan your system regularly If you're just loading antivirus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
- Update your antivirus software Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also download updates from ZDNet Updates.com.
- Stay informed Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Viruses, Bugs, Security Alerts page.
Take me to the Virus Workshop
Releasing a virus in the pre-Internet era was like releasing a polio victim on a steam ship. Today, however, the release of hostile code into the wild is more like releasing Ebola into Times Square at rush hour. Today Robert J. Bagnall tells us about the electronic versions of parasitic counterparts found in nature and tells us how our antivirus defences must evolve to meet and beat them. Go to AnchorDesk UK for the news comment.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read what others have said.
Did you find this article useful?
10 out of 24 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
