First peer-to-peer virus hits

File swapping on the Internet hit a sour note Tuesday with the appearance of a virus that attacks users of the Gnutella file-sharing service and that several security software vendors say is the first virus to affect peer-to-peer (P2P) communications.

Named W32/Gnuman.worm, or by the alias "Mandragore," the malicious file poses as an ordinary, requested media file. This masked file, however, is actually an EXE file that infects a user's computer once the program is run, according to statements from several anti-virus software vendors.

After it infects a computer, the virus cloaks itself for other Gnutella users, leading them also to believe that it is actually an MP3 music file or an image file. Every time a Gnutella user searches for media files in the infected computer, the virus will always appear as an answer to the request. If, for example, a user looked for songs containing the word "happy," the infected computer would return "happy.exe" as a response to the query, vendors said.

Advertisement:

Officials at McAfee -- a division of security specialist Network Associates -- found out about the virus Monday but have yet to identify its origin. McAfee said it is a low-risk threat at this point, due to the fact that only users running Gnutella-compatible software -- such as Gnotella, BearShare, LimeWire or ToadNode -- will be affected and because the virus does not cause much harm. Confidential information and crucial files should not be affected, vendors said. Computer Associates International, Sophos and Kaspersky Labs all issued information on the virus Tuesday.

Ben Houston, a student at Carleton University in Ottowa, Canada is being credited with discovering and reporting the virus. A member of the Gnutella Developer's Forum, he says enterprise users in a closed P2P network should have more protection than those in the public domain, because their networks typically have built-in access and authentication features not available to public users.

While the virus does little damage other than taking up extra system resources, McAfee officials warn that it could open the way for attacks on Napster -- the most popular P2P service -- and on P2P applications in general.

"This could be the testing ground for something else to come," said Vincent Gullotto, senior director at McAfee's Avert (Anti-Virus Emergency Response Team) labs. "It highlights the potential vulnerabilities in peer-to-peer computing."

McAfee has yet to hear many complaints. Gullotto, however, warns that it could set a precedent for users looking to attack P2P networks and particularly for those with a dislike for Napster's success.

In a worst-case scenario, a virus writer could create a way for a program to scan a user's hard drive for MP3 files or a shared folder and delete all of the content in that folder. Users might then lose hundreds of files.

"If you had something like that and ran it, there is no telling what it could do," Gullotto said.

McAfee still thinks e-mail will remain the most effective way for the transmission of viruses for some time. While Napster claims over 50 million users, the company's applications have not reached the popularity of e-mail, limiting the number of people who can be affected.

"I think e-mail is still somewhat the key for distribution," Gullotto said. "But a virus like this does have the potential to be very damaging once more and more people begin using P2P computing."

After infecting a computer, the virus copies itself to the Windows startup folder with the name "GSPOT.exe" and applies "system" and "hidden" attributes to this file This causes the damaging code to remain in and control a computer's system memory each time the machine is restarted.

The file is 8,192 bytes in length and should not be opened if offered on the Gnutella network. Most anti-virus vendors have already released software updates to take care of the file.

The IDG News Service is a Network World affiliate. Network World Senior Editor April Jacobs contributed to this report.