I have been using bearShare for a shortperiod of time. I have found that MANY of my searches come up with an EXACT MATCH (with an EXE tacked on the end), though I am using only keywords. This follows even with searches like "dhvsbgjjk sdagbb".
Generally, the file size of the match is 8192 bytes, but has varied.
There is some consistency in the ip addresses that return it.
I downloaded one of them (incidentally), and ran it. It seemed to do nothing. Then my firewall started warning me of outbound connection requests. I denied it, removed it rebooted.
When I came back, I found a similar program with a different name in my startup menu. I removed that as well.

Could not determine the nature of the program except that it wanted to connect to seemingly random ip addresses.
The programs passed a virus check, and no reference was found on the internet.
Oh the only other consistency seemed to be they were all listed on port 99 in the search results column

This is a warning as well as a question. The question is, has anyone seen this, or know anything about it. Any information would be helpful.

I have seen it.

It appears to be a tiny worm designed to simply propagate itself.

It seems to add itself to Gnutella's search results somehow.

It seems to contain and HTTP server in itself.

It seems to upload itself on any request to that HTTP server.

I couldn't tell you if it had any destructive payload.

still unsure of its limitations, but I am positive it is program independent. Just tried it with Gnotella, same reults.

This is an update to this WORM/TROJAN thing:

I have found two alterations from the above description. Occasionally it will leave off the .exe from the file returned. And occasionally, it will return a file size of 4,294,967,295.


So far, I have been unable to block these return results with a firewall. I am using Tiny Personal, and am new at it. I have most of it set up fine, but this escapes me. Any help on that would be appreciated as well, though I know this is not a firewall support base

Let's hope the impact of this new development does not become a thorn in the flesh. This worm is probably a pilot virus to test for its viability. There is little if any value in an 8K download, so the worm gives itself away, how many of us are searching for a file 8K in size, right? However, future revision could make the file any size, disguising its true colors.

I don't d/l any exe files as it is, I'm sure not going to start now. Embedding the file into a zip package could be a problem unless detection can remove it first. The big boys, i.e. Symantec and McAfee, will hopefully address the issue and resolve at some point. You might think that they have no concern for Gnutella plagues, but exe viruses can impact anyone with an internet connection, so they will have a vested interest in case variants/mutants come about, which I believe is inevitable.

So we can all learn to avoid downloading .exe files as well as files with no file type associated with them. But with respect to files with a false .mp3 extension, I don't see how that poses a threat. Because if you double click on a file like that, you're computer will try to open it with your music playing software and the software won't recognize the file and come back with an error message. So even if it's an executable file with a *.mp3 mask, it really can't be executed unless you explictly tell your computer to do so. Is there still a threat here?

hi there, get real ppl dont trust all this mcaffe and symantec antiviruses, go get avp at www.avp.ru.
This is a worm documented at :

http://www.kaspersky.com/news.asp?tn...&id=162&page=0

fornutely it is harmless


cu

I wouldn't do that. They will hassle you for the rest of your life.
hesterloli

You are correct. So what if a virus as been renamed to an mp3? So what? Since when does your media player know how to execute anything? mp3 files are not executed they are played. Viruses are not played they are executed. There is a big damn difference.
hesterloli