First P2P virus hits

File swapping on the Internet hit a sour note Tuesday with the appearance of a virus that attacks users of the Gnutella file-sharing service and that several anti-virus vendors say is the first virus to affect peer-to-peer communications.

Named W32/Gnuman.worm, or by the alias Mandragore, the malicious file poses as an ordinary, requested media file. This masked file, however, is actually an EXE file that infects a user’s computer once the program is run, according to statements from a variety of anti-virus software vendors.

After it infects a computer, the virus cloaks itself for other Gnutella users, leading them also to believe that it is actually an MP3 music file or an image file. Every time a Gnutella user searches for media files in the infected computer, the virus will always appear as an answer to the request. If, for example, a user looked for songs containing the word “happy,” the infected computer would return “happy.exe” as a response to the query, vendors said

Officials at McAfee — a division of security specialist Network Associates Inc. — discovered the virus Monday but have yet to identify its origin. McAfee said it is a low-risk threat at this point due to the fact that only users running Gnutella-compatible software – such as Gnotella, BearShare, LimeWire or ToadNode – will be affected and because the virus does not cause much harm. Confidential information and crucial files should not be affected, vendors said. Computer Associates International Inc., Sophos PLC and Kaspersky Labs Ltd. all issued information on the virus Tuesday.

While the virus does little damage other than taking up extra system resources, McAfee officials warn that it could open the way for attacks on Napster Inc. – the most popular P2P service – and on P2P applications in general.

“This could be the testing ground for something else to come,” said Vincent Gullotto, senior director at McAfee’s Avert (Anti-Virus Emergency Response Team) labs. “It highlights the potential vulnerabilities in peer-to-peer computing.”

A student sent information on the virus to McAfee, but the anti-virus vendor has yet to hear many complaints. Gullotto, however, warns that it could set a precedent for users looking to attack P2P networks and particularly for those with a dislike for Napster’s success.

In a worst case scenario, a virus writer could create a way for a program to scan a user’s hard drive for MP3 files or a shared folder and delete all of the content in that folder. Users might then lose hundreds of files.

“If you had something like that and ran it, there is no telling what it could do,” Gullotto said.

McAfee still thinks e-mail will remain the most effective way for the transmission of viruses for some time. While Napster claims over 50 million users, the company’s applications have not reached the popularity of e-mail, limiting the number of people who can be affected.

“I think e-mail is still somewhat the key for distribution,” Gullotto said. “But a virus like this does have the potential to be very damaging once more and more people begin using P2P computing.”

After infecting a computer, the virus copies itself to the Windows startup folder with the name “GSPOT.exe” and applies “system” and “hidden” attributes to this file This causes the damaging code to remain in and control a computer’s system memory each time the machine is restarted.

The file is 8192 bytes in length and should not be opened if offered on the Gnutella network. Most anti-virus vendors have already released software updates to take care of the file.

More information about the virus is available on AVERT’s Web site at Network Associates, in Santa Clara, Calif., can be reached at The U.S. headquarters for Sophos, in Wakefield, Mass., can be reached at CA, in Islandia, N.Y., can be reached at Kaspersky, in Moscow, is at