New worm spoofs Google


1 November 2005

Security researchers at Panda Software say they have discovered a new worm that generates a spoofed version of Google, the Web`s most popular search engine. The company`s PandaLabs unit reported last month that it had identified a worm it has labeled as P2Load.A, which creates a fake Google site, and launches adware on infected computers. However, the site presents different advertisements from the real Google search site, including links to the same companies being touted in the threat`s malware element. The security software maker said that the attack spreads via peer-to-peer, or P2P, computer networks, specifically the Shareaza and Imesh programs. Representatives for Google did not immediately return phone calls seeking comment on the virus.

As the company`s popularity has increased over the years, so have the number of attacks aimed at its users. For instance, the site was targeted in December 2004 by the so-called Santy worm, a virus that identifies potential victims by searching Google. Panda said that the P2Load.A threat copies itself onto the shared directory of the P2P software as an executable file named after a Star Wars-themed video game, Knights of the Old Republic 2, and lures end users into launching the virus on their machines using a faked error message. Once the virus has been sprung, it immediately modifies the computer`s start page, launches the adware and spoofs Google. As part of its delivery function, the P2Load.A attack modifies an infected computer`s Hosts file so that when an unsuspecting user attempts to call up the search engine, they are instead diverted to the mocked-up version of the site, which Panda said was hosted somewhere in Germany. The fraudulent page appears as an exact copy of Google and supports all 17 languages that the search site is offered in. The virus has also been designed to redirect people who mistype Google`s URL into their browsers, and will pop up if someone mistakenly types,, or

When a system infected with P2Load.A runs a query on the faked Google page, they are presented with results that closely mirror the links that the actual search engine would offer. Panda indicated that the virus` design could allow P2Load.A to be altered to spoof other Web pages, in that it modifies the Hosts file by replacing the original with a remote site download. Company officials said that, unlike attacks that merely look to cause trouble, the Google spoof is aimed directly at making money. “The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser,” Luis Corrons, director of PandaLabs, said in a statement. “Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed: In both cases, the motivation of the author of this malware is purely financial.”