Gnutella Users Face First Peer-to-Peer Virus

File-swapping on the Internet has hit a sour note with the appearance of a virus that attacks users of the Gnutella file-sharing service. The W32/Gnuman.worm, which appeared Tuesday, may be the first virus to affect peer-to-peer (also known as P2P) communications, and could bear ill for such file-sharing operations.

The malicious file, also called Mandragore, poses as an ordinary, requested media file. However, it is actually an executable file that infects your PC once the program is run, according to statements from several antivirus software vendors.

After it infects a computer, the virus cloaks itself for other Gnutella users, leading them also to believe that it is actually an MP3 music file or an image file. When a Gnutella user searches for media files in the infected computer, the virus will always appear as an answer to the request. If, for example, a user looked for songs containing the word "happy," the infected computer would return "happy.exe" as a response to the query, vendors say.

After infecting a PC, the virus copies itself to the Windows StartUp folder with the name "GSPOT.exe" and applies "system" and "hidden" attributes to this file. This causes the damaging code to remain in and control system memory each time the PC is restarted.

The file is 8192 bytes long, and antivirus vendors say you shouldn't open it if you find it on the Gnutella network. Most vendors have already updated their virus definitions to neutralize the file.

Officials at McAfee, a division of security specialist Network Associates, discovered the virus Monday but have yet to identify its origin. McAfee representatives call it a low-risk threat at this point, because only users running Gnutella-compatible software are affected, and the virus causes little harm. Besides Gnutella software, Mandragore affects users of Gnotella, BearShare, LimeWire, and ToadNode.

The file does not affect crucial files or data, antivirus vendors say. Computer Associates, Sophos, and Kaspersky Labs all have issued information on the virus.

Targeting Peer-to-Peer?

While the virus does little damage except take up system resources, McAfee officials warn that it could open the way for attacks on Napster, the most popular peer-to-peer service, and on peer-to-peer applications in general.

"This could be the testing ground for something else to come," says Vincent Gullotto, senior director at McAfee's Anti-Virus Emergency Response Team (AVERT) labs. "It highlights the potential vulnerabilities in peer-to-peer computing," he says.

A student alerted McAfee to the virus, but the vendor has heard few complaints. However, Gullotto warns that it could set a precedent for people who want to attack peer-to-peer networks, and particularly for those with a dislike for Napster's success.

In a worst-case scenario, a virus writer could create a way for a program to scan your hard drive for MP3 files or a shared folder, and delete all of the content in that folder. People could lose hundreds of files.

"If you had something like that and ran it, there is no telling what it could do," Gullotto says.

McAfee expects e-mail will remain the most effective way to transmit viruses for some time. While Napster claims more than 50 million users, its applications have not reached the popularity of e-mail, limiting the number of people who can be affected.

"But a virus like this does have the potential to be very damaging, once more and more people begin using P2P computing," Gullotto adds.