PandaLabs has discovered a worm, P2Load.A, that imitates Google’s homepage, retrieves search results just like Google, but changes the sponsored links to the worm author’s preferred sites.


PandaLabs has discovered a worm that imitates Google’s homepage, delivers search results similar to Google but changes the sponsored links to the sites of the worm author’s choosing.

The worm is called, P2Load.A, a kind of malware that spreads via P2P networks Shareaza and Imesh. The worm copies itself to the shared directory of the networks as an executable file called “Knights of the Old Republic 2”.

When the .exe file is run, an error message displays saying the file doesn’t exist and offers a download option. Once downloaded, the computer is infected and the worm modifies the start page, showing advertising, and spoofs Google. It looks like Google, runs like Google, but changes the sponsored search results.

This is done by modifying the HOSTS file on computers to redirect from Google to a counterfeit Google page, which is hosted by a server in Germany. The page is an exact copy and supports the same 17 languages of Google. It even allows for misspellings like “goggle” or “googel.”

Luis Corrons, director of PandaLabs, says, “Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed: in both cases, the motivation of the author of this malware is purely financial”.

PandaLabs has alerted both the ISP hosting the page and Google to problem.

Sharing is caring