• United States



by Paul Kerstein

Security Vendor Warns of Google-Spoofing Worm

Sep 19, 20052 mins
CSO and CISOData and Information Security

Downloaders looking for a free “Star Wars” game may instead findthemselves installing a new worm that gives them dodgy Google searchresults.

The worm, called P2Load.A, is being spread on P-to-P (peer-to-peer)programs like Shareaza and Imesh, masquerading as a free version of theLucasfilm Ltd. game “Knights of the Old Republic II,” said ForrestClark, senior manager of consumer product marketing with antivirusvendor Panda Software SL.

P2Load.A first began spreading on Wednesday and is most widely spread in the U.S. and Chile, Clark said.

When the software is installed, it makes changes to the computer’sbrowser so that any user trying to access Google Inc.’s search engineis instead presented with a Google look-alike page, hosted on a serverin Germany.

The page appears to be a working copy of the Google search engine thatgives nearly identical search results. But the sponsored links aredifferent, Clark said. “What they’re doing is replacing all of theAdWords ads with fake ads, and they’re selectively changing some of thesearch results,” he said.

Even users who mistype the address are redirected to thefake site, which also supports the same range of languages This redirection is achieved by modifying the hosts file inthe infected computer’s operating system, which is a kind of addressbook used to quickly connect the browser to Web sites.

By changing this file the worm’s authors could spoof other popular Websites, and possibly modify this attack for phishing, Clark said.

The P2Load.A worm seems to have been written to make money for itsauthors by increasing the number of visitors directed to the siteslisted in the phony sponsored links results, Clark said.

Users infected with the worm will notice one other side effect: theirbrowser’s start page will be modified to display what appears to be ashopping site.

P2Load.A affects Windows computers running either the Firefox or Internet Explorer browsers, according to Panda.

By Robert McMillan – IDG News Service (San Francisco Bureau)