Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
The Internet

Gnutella "Virus" Roams 125

An anonymous reader noted a CNN story about a Gnutella "Virus" floating around. It only affects windows, and its actually more of a trojan then a virus, but once infected, it hijaacks your gnutella node to serve itself to other unsuspecting gnutella users. I'm sure this is only the beginning.
This discussion has been archived. No new comments can be posted.

Gnutella "Virus" Roams

Comments Filter:
  • Lets say Adobe (being probably one of the most pirated companies out there) decided to write a trojan that spread though a P2P network and once on a users system searched for pirated Adobe software. Then, once They had the info, they could look then better target thier anti-piracy efforts.

    Before someone says that once it was known that Adobe was doing that...blah blah, bad PR blah blah...say it was a "black" project and done in a closed non-adobe environment. How would you tell?

  • by Glowing Fish ( 155236 ) on Thursday March 01, 2001 @11:10AM (#391774) Homepage

    When I first read this article, I thought, hey , no problem, doesn't everyone select "automatically hide exe, vbs files" during installation? But I have certainly seen this 8192 bug even though I have this option selected. What's up with this? Does the file hide itself as another file type?

  • Of course, being open source, this bug will be fixed quickly. (Unlike certain other things **cough**cough**outlook**cough**cough)
  • Is this just another way to talk about Napster again?

    Executables are not traded on Napster, and mp3 files are not executed by an mp3 player, so there isn't any danger of a Napster virus.
  • Can I run it under wine?
  • "This is not a threat... it doesn't effect me anyway..." sounds like the canonical initial cry whenever a security hole the size of the grand canyon is revealed.

    It may not effect you, but if it gives the network a bad reputation or screws up enough people who aren't you it's your problem anyway.

  • you can set windows to show extensions of known file types, just go into your explorer window settings and you should be able to find it from there. still doesnt stop people from creating a zip file with the install files for an app, rename the virus to setup.exe and placing it in the zip file. only a decent anti-v program will detect that, even then, users will most likely turn the V-prog off to install the app! people never learn......
  • by muffen ( 321442 ) on Thursday March 01, 2001 @11:20AM (#391780)
    First of all I would like to say that this is a proof-of-concept worm. It is written by Mandragore, a member of the spanish-speaking viruswriting group 29A (666 in hex). If you look at all viruses/worm released by 29A, you would see that they are almost always proof-of-concept or very complex.
    Secondly, this was released this weekend, why the story now? Also, regarding the post about viruses, why people write them, I would have to say that stories like this (on slashdot, cnn, zdnet or whatever) is probably what keeps the viruses coming. PUBLICITY!
    Imagine being De Guzman (Loveletter Author), 20 years old in the Phillipines, knowing that you will never leave the place. Imagine writing a 50 line VBScript that does 3 rounds around the world in 1 hour. Thats power I guess :)

  • I keep getting "nsdkjfnlnponf.htm"...who is generating those?

  • I hate to break it too you but this is a peer to peer network. When you download a file, you don't download it through something, your getting it directly from the person who replied to your search query. Also, there are two reason this is spreading slow, the first has already been addressed, you have to be dumb to download and execute this virus. The second is simply that the virus answers all search queries it gets and that slows done the user's node to a crawl.
  • Well actually, if someone finds a buffer overflow in Napster's parsing of an mp3 file header, then there will be a virus.

    So there's actually plenty of danger with Napster.
  • It is not the first [].
  • On many Windows machine, a file named *.mp3.vbs will show up with an mp3 icon, yet when double-clicked on by an unsuspecting user will run the Visual Basic Script it contains, so actually embedding viruses in mp3s isn't necessary.
  • Before that happened, I think they'd have to find a way to insert viruses in most media files (or can they do that already?) such as MP3 or MPEGs etc... since that's what most people look for. I mean knowing NOT to run an executable from a computer you don't know SHOULD be common sense no?

  • file a.out

    'nuff said.
  • Si[plastic] 6 % ls -l /usr/bin/false
    -r-xr-xr-x 1 root wheel 2932 Jan 16 17:53 /usr/bin/false

    ... no visual cue indeed.


    ps. I thought Microsoft only employed smart people 8-)
  • Can you be more specific? I really don't think this is the case - if I remember correctly, the ILOVEYOU virus used an attachment name like ILOVEYOU.TXT.VBS and was displayed as ILOVEYOU.TXT with a VBScript icon (a wavy scroll that looks similar to Notepad's icon but not the icon for text files). Perhaps you're thinking of the EXPLORE.ZIP virus? That was an executable with an attachment name like EXPLORE.ZIP.EXE, and executables can contain their own icons; it used WinZip's icon for Zip files.
  • As long as that's allowed:

    Volume in drive C has no label.
    Volume Serial Number is 1C8B-5434

    Directory of C:\projects\meef

    01/17/2001 01:58p .
    01/17/2001 01:58p ..
    11/29/2000 05:22p 1,144 Form1.frm
    01/15/2001 05:01p 20,480 meef.exe
    01/17/2001 01:58p 1,408 meef.frm
    01/17/2001 01:58p 740 meef.vbp
    01/17/2001 04:20p 50 meef.vbw
    01/15/2001 05:52p 3,964 meef_pure.log
    01/07/2001 11:04p 335 MSSCCPRJ.SCC
    11/29/2000 05:22p 749 Project1.vbp
    12/07/2000 06:11p 50 Project1.vbw

    That's with "Hide Extensions of Known Types" turned on. Looks like both operating systems are doing things just fine.
  • What's gravi? Perhaps you meant something like "aviation" ? Or "Feliz Navidad" ? But who wants to watch movies of planes with guys singing "Merry Christmas" in Spanish?

    Not I.

    kickin' science like no one else can,
    my dick is twice as long as my attention span.
  • by Anonymous Coward
    under bash executable files are green with dircolors turned on, so yes there can be a visual cue if you decide that suits your fancy
  • you know, gravi. it goes good with mpghed potatoes.
  • Perhaps your Gnutella client doesn't filter properly. If you're using Win32, check out bearshare [] (which, besides filtering out this trojan properly, generally kicks ass all-around).
  • by mirko ( 198274 )
    It is funny to see that this story appears after we heard lots about Napster issues with file marking.
    I just wonder whether this story is FUD... After all, it is Napster's interest to discourage their userbase to migrate to GNUtella.
    Of course, there could also be a real bug somewhere....
  • I suppose that every virus writer has his/her own reasons for writing their virus. Whatever their reasons, virus writers should get some credit for making networks more secure. Can you imagine how insecure computers would be if there were nobody attempting to exploit their weaknesses? For security to evolve, so must the efforts of destructive code writers.
  • There will always be some kid out there to make something like this for fun.. The press can then say things like:

    In a worst-case scenario, a virus writer could create a way for a program to scan a user's hard drive for MP3 files or a shared folder and delete all of the content in that folder. Users might then lose hundreds of files.

    "If you had something like that and ran it, there is no telling what it could do," Gullotto said.

    Sure.. We know what it would do.. If you ran it it would delete all your MP3's, or other files, so you best not use any dirty file-sharing software, hint hint, nudge nudge.

  • the same as this one [] ?
  • Zooko of Mojo Nation [] and Raph of Advogato [] gave a talk at the O'Reilly P2P conference on "Attack Resistant Metadata" Essentially, you use something not unlike the PGP web of trust to automatically evaluate a particular piece of metadata according to some criteria such as "how accurately this entity describes data." The further away from you in the graph an entity is, the less you trust their opinion. It's known as "Distributed Trust Metrics" Advogato is a working but centralized example; trusted members of the community can post to the front page, for instance. However, you can't just create a bunch of identities that all certify yourself and get very far - you'll still be outside of the main web.


  • but what happens when .sh or .pl files start popping up? (-=

    You Like Science?
  • man ls
  • This is exactly like the previous VBS gnutella worm, except that it's an executable this time. See a June 2000 ZDnet story [] and this old Slashdot thread [] for more information.
  • Pretty much everything you download with gnutella is "an unknown file from an unknown source". Your solution isn't much of one.
  • I see lots of comments here about how easy it is to spot, it doesn't do much, etc. But don't forget that this is the first.

    The Melissa virus was (I believe) the first major virus to take advantage of the vulnerabilities of having Windows Scripting Host running (read: Outlook), and while all it did was forward an attachment to everyone in your address book, it didn't 'do much', it just so happened to clog up mail servers. Just recently we had ILOVEYOU which did a lot of damage.

    Virii development is getting more and more sophisticated and as it has been said, this is just the first. Look out for greater levels of sophistication as the virus developers learn what they can do with this new platform.
  • I don't think you would find too many companies willing to tie their product/service to a virus.

  • First off there has been a .VBS running around GNUTELLA servers for as long as I can remember so this definately isn't the first p2p virus. Secondly the anti-virus folks are ranting and raving again... Throwing around buzz words to scare the masses of winblows users. Napster won't allow you to send exe's, vbs', or any other executables. AFAIK there is no way to embed a virus in a win media file so Napster users are quite safe... Only the Gnutella users that are happy to download a 2k MP3 in the first place, then double-click this mp3 with the wrong icon-are suceptable to viri.
  • the same as this one ?

    Given that the other one seemed to only add itself to your download directory, while this one actively spoofs matches for any search, I'd say probably not.

  • You should really take another look. Gnutella has cleaned up quite a bit and the clients are much more mature. I also gave up on Gnutella a couple of months ago, but I have recently re-discovered it and am quite fond of it.

  • try this instead:
    <# echo bash > output

    ># echo "#include " > output.c
    ># echo "int main ( int argc, char **argv ) { system ("bash"); }" > output.c
    ># gcc output.c -o output
    I think you'll find you get my point.

    PerES Encryption []

  • alot more people use windows than those who use unix, therefore it only seems natural to have more virii spread this way.
  • i happen to be a gnutella user who runs a reasonable size server, under a windows client. i dont see how it won't affect me. :>

    people who follow basic internet security procedures (dont open unknown exe files, for instance) won't be affected, or indeed effected, by it. would you drive a car without learning what all those signs mean? :)
  • Military intelligence.
    Microsoft Works.
    Windows security.

  • You mean like a virus that installs Linux ;-) ?
  • Just like this has nothing to do with being Open Source or not and rather the arch. and protocol design flaws.

  • The only thing being proven here is that people who download unknown executables and actually run them will have bad things happen to them. Gnutella, like Napster is useful for sharing data files, but not executables or vbs's etc. The real weakness being shown here is the crappy OS which allows file type to be hidden, enables auto-running of VBS scripts, etc. The extensions to the gnutella protocol which were discussed at P2P will enable new tools to protect users from some hazards but there is no way to protect someone who hands over control of his machine to an anonymous stranger. There never has been and there never will be.
  • you are not vulnerable. .EXE files don't run (in a staightforward way) under Linux.
    So yes, thank GNU and Linus for Open Source!
  • I am using Bearshare. v 2.05 I believe.
  • From the looks of it, this is definatly more of a trojan... maybe I'm wrong, but it seems as though you have to actually download AND execute this thing manually in order for it to infect your client. If this is the case, I have a good anti-virii solution: Don't execute unknown files from unknown sources (duh?).
  • Most of these problems are solves with a little thinking.
  • Guess I should've seen this one coming...

  • by BdosError ( 261714 ) on Thursday March 01, 2001 @02:50PM (#391821)
    Microsoft has an even better way hidden within this system. The .shs extension (ShellScrap) is executable as a .vbs is, and is never displayed, even if you turn off "hide extensions for known types". There's also an individual setting for each extension that you can set to always show extensions for this type of file, and that still won't make the .shs show up. Brilliant piece of work that. I believe that's how one of the early VBScript worms worked.


  • Use either Furi or LimeWire. Both can be found under the clones at [].
  • by PHr0D ( 212586 ) on Thursday March 01, 2001 @10:26AM (#391823) Homepage
    This looks like its related to windows default 'simple mode' where it hides the extentions of 'known' file types (i.e. *.exe).. So if you call a file 'evilvirus.bmp.exe' Windows will hide the exe extention and to a luser it appears to be a graphic file. -Lovely, VB, etc.. etc.. Is there any way we could make Windows *more* virus/worm friendly?

  • That wavy scroll is Windows for 'I don't know what this thing is'

    Notepad's icon is, oddly enough, a little notepad...
  • by hakker ( 11892 ) on Thursday March 01, 2001 @10:26AM (#391825) Homepage
    They think they got Napster beat, so now they are releasing their Winders virusus on Gnutella trying to keep users off. Obviously. Yes, that must be it. Of Course.
  • As I read earlier on this, it requires the user to be "stupid", to run it.. hence why it spreads so slow. Really, this could be any file from a FTP site, or something - it is really the same case as Outlook Viruses =P
  • Maybe humankind can be blessed with a new virus to be hidden in one of the chain friends/good luck/other junk e-mails. When the message is forwarded to the requisite number of friends the forward function of the sender's mail client is disabled. The creator of this would get my vote for Commander of the Universe and Master of Time and Space.
  • Nah. Windows is just fine the way it is.

    Any more virus-friendly and the lusers will be migrating away in hordes, so the virus writers will have to find another target.

    Any less virus-friendly and the virus writers will start looking for another targets.

    At the moment there's a nice balance. Soft enough so that the virus writers don't have to think too hard, but the lusers still think the problem is manageable. So the virus-writers don't come after ME.

    Oh, and ;-) for the hard-of-smiling.

  • [Replying to himself ... sad case]
    That ME is the original me, not the millenium edition.
  • RIAA may be behind it.
  • I just created an .shs file on my NT box at work and I could see it fine.

    Is this just a win 98 thing?
  • I ran into this worm when a did a search on my own name for hahas. Imagine my surprise when I found several files out there that were named after me! I downloaded one and opened it with a hex viewer. After seeing the name "Mandragore" I was able to look it up and find out what was going on.

    To see who has the worm do a search on Gnutella for a long nonsense string like "apuqoierk;afiekda". When you find an exact match you can see which nodes have been infected.
  • by Bonker ( 243350 ) on Thursday March 01, 2001 @10:49AM (#391833)
    You may be misunderestimating people's ability to be "stupid". Also, I've discovered in a rather painful way that stupidity runs downhill.

    When my company infected itself with the 'AnnaKournikova' virus, it was only *after* I had sent out a general warning.

    One of the VP's, who *does* know better, opened the message while he wasn't paying attention, clicked on the file, and sent it to everyone else. Everyone else, those who didn't figure it out, opened it because it was from the VP.
  • by First Person ( 51018 ) on Thursday March 01, 2001 @10:49AM (#391834)

    Your description is excellent. I would, however, view this first generation as more 'proof of concept' than anything else. Devising variants which return back variable sized documents or which return 'correct' sizes for a limites set of specific requests can't be long in coming. Likewise you may assume that future versions will examine the request strings and reply only to a subset and only some of the time. Counter measures will develop, of cours, and so will the complexity of the trojan horses.

    I think a bigger concern is the potential for this to undermine anonymous P2P networks. Inspired by the RIA, MPAA, hostile governments, etc., many efforts are being made to develop systems which fully hide the identity of the parties involved. It seems that this would also hide the origin of any trojans injected into the system. If users are no longer able to trust the content they receive, will they continue to use these systems?

  • people.... think.... those two words don't make any sense when used in the same sentence.
  • I found this story on infoworld when I went there 'cause I couldn't get through to ./ . So later when I could get through to ./ and submitted it, I added a blurb that it was probably only a matter of time before it gets married to linsniffer or whatever...there seemed to be a large number of submissions before me when I submitted, so anonymous must have been in that group. Makes me wonder what was with /. that made everyone so busy...

    People who advocate the linux model underestimate how much real-world users won't follow the implicit or explicit security rules. Even me, using it for a number of years (slackware, redhat, a few others), and following the virus news groups off and on for a decade, I got hacked recently 'cause I just don't have the time or inclination to spend all my non-work hours patching stoopidass security holes. I have a real computer job, after all. Fortunately not much damage was done because I had so much half-configured crap on there.

    But I gotta say, people who blame the user for being vulnerable, ought to be mugged.

    By the way, I'm not reading email until I get around to reinstalling an OS again. It seems the first thing you need to do when your unix gets hacked is get off the net.
  • Just loaded up BearShare and GNUtella and went searching for these files, haven't found any yet.. Even connectiong to 100 hosts. Seems pretty localized, which is good. Let's hope it doesn't start going insane and end up on most people's computers. But then again, arent the majority of GNUtella users *nix anyway?

  • Nice Troll. YHBC. YHL. HAND.
  • Probably, I just tried it on a windows 95 computer and I couldn't get windows to show the file extension in explorer.exe through the conventional means. It's weird, even if you go into View | Options | File types, then select shs and check the:

    [x] always show extension

    it is still hidden...
  • Wavey scrolls come in two colours: blue and yellow. This indicated the scripting language used IIRC - JavaScript = Yellow; VBScript = Blue. Unknown files are a document with the Windows flag in.
  • Ah, so that's why these people use the double extension. Since "Hide file extension for known file types" is just about the first thing I turn off, it never occurred to me. You'd think they'd notice a file suddenly appear *with* an extension.
    Wait, no they wouldn't.... what am I saying?

  • Is it a bug in Gnutellish clients that data gets transferred? Seriously.. The fact that there is no signature on any Gnutella packet decrying the type of client being used, how could this be fixed? As far as the gnutella spec reads, at no point does it rely on a human to directly respond to each query. Rather the queries are assumed to be xmitted to clients. This just happens to be a client that is not intentionally run.

    It conforms (mostly, it seems) to the spec for xferring data. That makes it a valid gnutella client. Without a montioring of the type of client sharing data, there is no fix.

    In other words, this is as much a bug as typing:

    $ su - root

    # echo bash > output
    # chmod 777 output
    # chmod u+s output
    and expecting the operating system from preventing attacks. It is not a software nor an implementation problem. Rather, it is an attack on the protocol that relies on human engineering to work. (ie, Gnutella operates on a big fundamental flaw.. all clients are kind and good)

    The way I see it, it was just a matter of time. Those who wish to transfer data anonymously should consider the source of the data. Fact is, unless you can authenticate the source, then expect garbage and get surprised from time to time.

    In other words.. I double dog dare somebody to fix this in software. And even if they manage by some stroke of super-genius to fix it, it will not prevent similar attacks entirely.

    PerES Encryption []

  • It certainly won't effect him, since he's already come into being. It might affect him, though.
  • .. i may be wrong, but wasnt there somthing similar to this with napster. A re-hashed version of the prog that forced serving... I know there are/were a few of these for IRC clients. Honestly, this SHOULDNT be that hard to take care of
  • I know that there are some virii/worms/whatever nthat infect *nix systems...The DNS worm of the late 80's comes to mind. But why are there so many more 'virii' that infect windows systems? Is it easier to develop them? Is it a security thing? Is it that most l337 d00dz are anti-windows, hence, windows virii? Just wondering...
  • It may be that Napster is immune, but I see a lot of weird stuff like *.mp3.mpg and *.mp3.vbs when I use the OpenNap servers.
  • A friend of mine who is a VB adict warned me about viruses for Linux three years ago. He claimed that the OS wars had spawned enough hatred for people to actually write viruses for OSes they did not like. He even said that people at MS proper were working on them.

    It scared me a little. This was when I was first looking into Linux and did not know much better. At the same time, I figured he knew his friends. Looking around here, I see the same thing from time to time as this little beauty from message #33 by Fross (+5 interesting) "But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)". Nod nod, wink wink, not very funny.

    Thankfully, nothing bad ever happened.

  • Windows what? Windows 3.1? 95? 98? ME? NT 3.51? NT 4.0? 2000? If you're going to Troll, at least be more specific.

  • Come on. That's a dead giveaway of something wrong. I always inspect the size of mp3 files I find on Gnutella (usually to guess at the bitrate of the file), and if I see something outlandish (like this), then I ignore it.

    As for the universal search matching capability, that's nothing new. Remember Flatplanet?

  • It makes you wonder... Not that this virus isn't completely real, but aren't there certain people or companies that are helped by bogus virus warnings?

    RIAA to put Napster in Crapster []

    "Lovable Lars" Fan Club []

  • Ummm.... you do realize it's the Open Source nature of this project that makes it so OPEN to this type of exploit, right?

    I'm not sure that's the case. Once you figure out how the search requests work (which can't be that hard, whether or not you have the source) it should be easy to for a program to send back "results" and serve up whatever file it wants in their place.

    I agree that Open Source is no magic bullet. However, my hope/expectation is that, with enough people working on it (which is key to the success of Open Source), people will fix the problem, or at least plug the loophole long enough that people can get some use out of the system before the next trojan comes along.

    -Erf C.

  • Cue James Earl Jones ...

    Cue music ...

    is the Time-Warner Propaganda Network.

  • This is one of the most amazing misfeatures in the Windows shell imaginable -- as if using the name of the file to determine the type isn't the most backwards decision ever, they compound their crime by actually HIDING information from the user that is ESSENTIAL to operate the computer. Everytime I try using Windows as something other than a game- or ACL-launching platform, shit like this just makes me want to cry.

    No real content, just an amazed head shaking.

  • As I read earlier on this, it requires the user to be "stupid", to run it.

    But people are stupid. See the subject line. This is how a typical virus is initially spread. And yes, there are plenty of people stupid enough to download and run stuff like this. Curious kids who don't know better. People using computers that aren't theirs (e.g., school computers) so they don't care if they get infected. AOL users, etc.

    I actually find it interesting to download these and run them through 'strings' to see what's there. Silly messages, "Ha ha ha ha!", long lists of IP addresses and hostnames and port numbers. Then probe the sites to see what I can find there.

  • It:s written in Java and compatible with the Gnutella protocol, so it's impervious to windoze viruses : []
  • Yup, and it's exactly why I added SHS file protection to a freeware program I wrote that helps protect against viruses spread by Windows Scripting Host and ShellScrap Files. (I'm finishing up the next version that adds REG, HTA, Word Doc, Excel, and SHB support as well.) In case anyone's interested, you can download it from [].
  • CmdrTaco's statement is a little misleading. The trojan does not "hijack" your Gnutella node. When executed, it sniffs network traffic looking for Gnutella search requests. When it sees one, no matter what the request is for, it sends back a positive match to the request. If the remote user downloads the matched file (which is always 8,192 bytes in size), they'll get the trojan.

    It's pretty easy to determine which Gnutella users are infected. Just do a search for 'nsdkjfnlnponf' or some other completely nonsense phrase. You'll get a bunch of matches, all files 8,192 bytes long. These are infected nodes.


  • Yes, but if your remember the point of gnutella is to trade files, many of which as executible files. So this will definatly put a damper on that use of gnutella.
  • by C64 ( 130005 ) on Thursday March 01, 2001 @10:57AM (#391863)

    Ummm.... you do realize it's the Open Source nature of this project that makes it so OPEN to this type of exploit, right?

    I don't use GNUtella myself - while the project does sound interesting, I've had too many of my friends tell me they completely gave up on the system months ago because too many hacked clients were appearing and spamming the entire system.

    I am not going to make the claim that making this project closed source is a viable solution to correcting this problem. HOWEVER, I won't make the rather insipid statement that the problem will go away because the project is Open Source, either.

    Open Source is a great idea. BUT, it is not a magic bullet.

  • When questioned on weather this has anything to do with bad security in Windows Bill Gates replied:

    "HA! Bad security in Windows? See the GNU at the beginning? That is what's causing this. Anything to do with GNU WILL cause harm to your computer, eat your filesystem, documents, grandma, etc... Besides the only ones getting effected are evil music theives..."

    Bill was later seen walking away with a bag with the words "RIAA Bribe money" over his shoulder.

  • "Pinky, Are you pondering what I'm pondering?"

    "I think so Brain, but where are we going to find a rhinoceros in heat at this time of year?"

  • Can you imagine how insecure computers would be if there were nobody attempting to exploit their weaknesses?

    Erm, but if no one was attempting to exploit any weaknesses, why bother with security at all?


  • Ooooo, but I can think of many companies willing to tie their competitor's products/services to a virus.
  • by KilobyteKnight ( 91023 ) <> on Thursday March 01, 2001 @12:48PM (#391873) Homepage
    Is there any way we could make Windows *more* virus/worm friendly?
    Top 10 ways to make Windows *more* virus/worm friendly:

    10. MS Virus SDK
    9. "START virus" button on task bar
    8. Paperclip with virus hints
    7. "Auto replicate and spread" option in Outlook
    6. WORM.CAB
    5. Bundle virus protection in Windows
    4. Require Windows virus updates be done via Hotmail
    3. Virus32.dll
    2. Tell Microsoft that people are giving away viruses for free in an "Un-American" way.
    1. Two words: DOT NET

  • Just like no one would ever want to send unsolicited email, right?

  • Yeah, it's one of the things I turn off as well. The main reason is that it obscures whether that "Notepad document" is actually .txt, .log or .cfg as they all have the same icon and description. It's also a git where there are 4 files with the same name; foobar.exe foobar.dll foobar.ini and foobar.ico all appear as foobar, making it difficult to differentiate between them.
  • I mean knowing NOT to run an executable from a computer you don't know SHOULD be common sense no?

    It was only a few years ago that, as a system administrator, I reassured users that there was no possibly way they could get a virus from reading email. This was in response to the GoodTimes 'virus' []. Little did I suspect that our, um, good friends at Microsoft would allow Outlook to run scripts.

    You can't assume that only executables will spread viruses in future. However, this isn't the main point. If users hear that they may get a virus using a particular P2P network - even if they have to be morons to catch it - how many will avoid the P2P network anyway?

  • Well, they could adopt the UNIX mechanism whereby there is no visual cue at all about the possibility that a file is an executable.

    "a.out" anyone?

    Yes! We are all individuals! I'm not!
  • What a load. Not worth attempting to rebut, since the main point seems to be to construct an Open Source zealotry windmill at which to tilt.
  • Does bash have anything to do with whether or not the binary ls displays colors or not?
  • by Fross ( 83754 ) on Thursday March 01, 2001 @10:34AM (#391893)
    I've seen this over the last couple of weeks on Gnutella servers. There's been some other discussion about it, I believe on The Register, and i've done a bit of nosing round myself.

    Ultimately this is not a threat. It is quite obvious to spot (if someone is searching for, for instance "chemical brothers" it'll return "chemical brothers.exe", which is an unexpected result, ie no track name and not an mp3 or so), though i have seen a variation that tries to disguise the fact that it is an exe (i've seen some spurious entries in "file type" entries under the Gnucleus client), and even if infected, your machine runs as a server for the virus - as far as i can tell, this won't make your machine run as a server when you're not running a gnutella client/server anyway, it'll simply return itself when someone's search hits your machine.

    Many (sensible) clients already screen out several types of files, such as .vbs, and .exe - these won't be susceptible to the worm at all. All the worm does is relpicate itself, nothing else. Though that's not to say someone else isn't going to use this mechanism to write something a lot nastier. But for now, it should only affect the terminally stupid or extremely unwary :) and Windows users to boot! ;)

  • I saw that a few ip addresses were returning "[search].exe" and "[search]" the other day on gnutella. Out of curiosity, I tried to download them, but was unsuccessful. Then I blocked these IP addresses and dropped all messages from them. It seems that the real reason this 'virus' will spread slowly is because its nearly impossible to download anything from gnutella. The authors of this trojan must not have been too bright--they should have infected a P2P network with better throughput, like Napster.

Put no trust in cryptic comments.