The worm, called P2Load.A, is being spread on P-to-P (peer-to-peer) programs like Shareaza and Imesh, masquerading as a free version of the Lucasfilm Ltd. game "Knights of the Old Republic II," said Forrest Clark, senior manager of consumer product marketing with antivirus vendor Panda Software (Profile, Products, Articles) SL.
P2Load.A first began spreading on Wednesday and is most widely spread in the U.S. and Chile, Clark said.
When the software is installed, it makes changes to the computer's browser so that any user trying to access Google Inc.'s search engine is instead presented with a Google look-alike page, hosted on a server in Germany.
The page appears to be a working copy of the Google search engine that gives nearly identical search results. But the sponsored links are different, Clark said. "What they're doing is replacing all of the AdWords ads with fake ads, and they're selectively changing some of the search results," he said.
Even users who mistype the www.google.com
address are redirected to the fake site, which also supports the same range of languages as Google.com. This redirection is achieved by modifying the hosts file in the infected computer's operating system, which is a kind of address book used to quickly connect the browser to Web sites.