Let me state right now that today is a day you should remember. You are witnessing the continuing evolution of worms. In the past year we have been hit with the Melissa and ILOVEYOU worms, as well as the copycats. There has been a steady change in how they achieve penetration of the host and their target goals. Yet this worm is another turning point because it symbolizes the movement to other modern mediums of file transfer besides the recent typical medium of E-mail.

Now before we start, let me say that by my definitions this is not a worm but a virus due to the fact that it is not completely self replicating. But since the english language is fluid and the media seems to be propagating a looser definition of the term "worm" and the author refers to this as a worm in the source, I'm going to call it a worm for consistancy.

While doing my normal browsing of the various crap that Gnutella accumulates, I stumbled over this interesting program: Described as "ASF Compressor (No quality loss).vbs" At first I didn't really pay much attention to it until I realized that it had shown up over 90 times (over the spread of 2600 Gnutella shared hosts). Another thing that caught my eye was of course the "vbs" extension. So, I did what any other intelligent person would do, and I downloaded it.

Fearing the wonderful integration of Win98 and not being too familiar With VB Scripts, I decided to use a DOS Shell to check the file out, and I found exactly what I was suspecting. Inside the file was some interesting things, one being a generation counter (which indicated the current cycle of this worm to be 9). Another interesting thing is how the author decided to keep track of who has been infected (by placing the file in the gnutella shared directory).

According to the worm, it was concieved on May 21st, 2000 and claims to be the first Gnutella worm ever. The author to my knowledge has not left any identifying marks at all except "42". below are the comments at the beginning of the file:

' Watching CurrentGeneration will be quite interesting.
' I wonder if anyone ever studied this compared with
' real viral spreading.
'
' 42
'
' History
'
'  1.1  o Now copies itself to a list of target keyword
'         instead of just current filename
'       o Fixed a but with Ini path... (1.0 didn't work
'         at all. he he.)
'
'  1.0  o Initial Release

To download the entire file: DONOTRUNME.asp
(Warning!!! Do not run this file. Save this to a file and view it in a text editor like vi or notepad)

The worm then goes on to copy itself into various file names such as "Jenna Jameson movie listing.vbs", "Pamela Anderson movie listing.vbs", "Asia Carerra movie listing.vbs", "xxx FTP movie listing.vbs", "ASF Compressor (No quality loss).vbs", "collegesex.vbs", "Gladiator.vbs", "Battlefield Earth.vbs", "Evangelion complete episodes scripts.vbs", "Scan Master checklist.vbs", "How to eat pussy.vbs", "Alicia Silverstone.vbs", "Pearl Jam.vbs", "Mp3 compressor (Half the size but same quality).vbs", "Napster Metallica Crack.vbs", "Santana.vbs", "NSync.vbs", "Nirvana.mp3.vbs", "Shania Twain.mp3.vbs", "Jesus loves you.vbs", "Gnutella upgrade.vbs", "OFFICIAL Gnutella Option Pack.vbs". And of course in the new files the generation counter is bumped up.

Next, the Gnutella INI file is attacked. It is copied into a new file, which is then modified by adding the ".vbs" extention to the list of file types to share, adds the base gnutella path to the list of paths to be shared, and modifies the clientid128 to be the Machine ID. Finally, the original is deleted and the new one takes its place.

The Author of this worm Seems to be nonmalicious in intent. He creates a file from the information gathered on the host machine (Generation, Machine ID, Infection Date) and adds the comment, "If I was a naughty boy, I could use scripting to get name, email, whatever file I want." This file is then placed in the uploads/shared directory of Gnutella with the name "Yet another GWV! " + Machine ID + ".zip" . For humor, I went ahead and searched for such files on gnutella, and sure enough they were there.

Finally, the worm deletes itself.

Yes, this worm is not harmful, but let us not forget its warning. "I could use scripting to get name, email, whatever file I want." This is true for all worms, yet this one offers a few new dangers. The first of which is that it copies itself to so many different file names, thus making it hard to find. Next, gnutella is almost (not completely) an anonymous form of file searching and transfer. You will never know who you're getting your file from, nor will you tend to be as careful as people currently are about getting emails that say such things as "I love you, open up this attachment for *insert crap here*". And the biggest danger of all comes from the new file that is shared with the Gnutella network that could contain all your information. Not only is it virtually impossible to determine who is getting these files (unless you pull a "Gnutella Wall of Shame" trick) but also the fact that the information is available to anyone else on the network.

Imagine passwords or even Credit Card numbers that stored in "cookies" being packaged along with first name, last name, middle initial, or anything else. Now its not the problem of one person using your information, but virtually limitless amounts of people accessing it at will without you even knowing it was being shared. I would like to go a step further than saying "This was the first Gnutella Worm ever" and state that this may be the very first Worm to successfuly take advantage of a method of file transfer other than the common E-mail method. This is a worm that can actualy take advantage of both methods. What if a these easy to write worms start taking advantage both, as well as many more? Then all hell will break lose.

For more reading, I suggest you look at "Worst Nightmares Come Alive" by Roelef Temmingh (July 29th, 1999). In it contains what can be considered the blueprints for the perfect worm. At the conclusion he answers the simple question of why he is writing this paper. He states: "I think that a monster the likes of this is about to be released. It will be only a question of time before a thing like this will happen. The only thing keeping it from happening is that the people with skills to write such an application is not willing to do so, since they, as experts, know the implications." I believe that his monster is a lot closer to being unleashed than he expected. The Gnutella Worm is nothing but another wake-up call in itself, but may prove to be dangerous indirectly. Roelef mentions that the experts realize the implications, but do the copycats understand them? Although they themselves may not be able to create his perfect Worm, they will have knocked over another domino towards it's impending arrival.

- Armadon