Aliases: GnutellaMandragore, Gspot Trojan, Mandragore, TROJ_MANDRAGORE, W32.Gspot.Worm
Variants: W32/GnutellaMan, W95/Gnuman.A, W32.Gnutella

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 26 Feb 2001
Damage: Low

Characteristics: The Gnutella Peer to Peer file sharing network is commonly used by this malware as its transport media. This means that users of these networks are usually susceptible to an infection from the W32.Gnuman.Worm malware. This threat has the unique capability of modifying its own filename in order to satisfy any query initiated by the computer user. However, it constantly maintains an executable file extension and an 8192 bytes file size.

More details about W32.Gnuman.Worm

During the execution of the W32.Gnuman.Worm in a compromised computer system, it will place an executable file into the Startup folder of the operating system. This executable file carries a hidden attribute in an attempt to conceal its presence from the computer user. When this file has been successfully loaded by the W32.Gnuman.Worm into the system memory it will constantly check for an active connection to the Gnutella file sharing network. It then actively changes its name into whatever file is being searched by the computer user. The unintentional execution of this malicious executable file will lead to the spread of infection in the compromised system. The W32.Gnuman.Worm however requires that a Gnutella associated client application to be active in order to deliver its infection.

Uniquely enough, the W32.Gnuman.Worm is considered as one of the few Worm variants that do not have a destructive payload. According to some computer experts, the main objective is to execute in as many computer systems as possible making the infections widespread. The W32.Gnuman.Worm opens the port 99 on the infected computer system allowing the malicious author undetected access to system files and resources. The complexity of the malware W32.Gnuman.Worm lies in its ability to monitor the file searches done by the computer user on the Gnutella network and mask itself as the requested file.