KWBot worm hits Kazaa

Kazaa users attempting to download the Spiderman movie and other popular files from the Web may end up getting bitten by a new bug

The Kazaa file-swapping network has been hit by another worm, just months after the first such attack, according to antivirus vendors.

Antivirus company Sophos said it had received several reports of the KWBot worm in the wild. KWBot appears to be the second worm to hit the Kazaa network, which fell prey to Benjamin worm in May.

KWBot spreads in a similar way to Benjamin, by altering Windows registry keys and then disguising itself as files that are likely to prove popular with file-swappers. It makes particular use of the names of movies and applications. When first executed the worm copies itself to the Windows system folder as xplorer32.exe, said Sophos. It will then create two registry entries so that the copy is run each time Windows is started.

The worm may also allow attackers to gain control of an infected computer using commands transmitted over Internet Relay Chat, said Sophos.

Kazaa is not alone among file-swapping networks that have been targeted by virus writers. The Gnutella file-swapping network was hit by a proof-of-concept worm in February.

There have also been threats from other quarters. In April, a bug was found in the popular Winamp software for playing digital music files could allow an attacker to embed malicious code into an MP3 file, potentially damaging the user's PC and infecting other MP3s.

And the music industry recently began planting "decoys" on free peer-to-peer services in its fight against online piracy, according to sources. This practice, known as "spoofing", entails the hiring of companies to distribute "decoy" files that are empty or do not work in order to frustrate would-be downloaders of movies and music.

Overpeer, a New York-based software firm funded by South Korea's SK Group, is understood to be one of the firms helping the industry disguise online files to thwart unauthorised swapping.

Examples of filenames used by the KWBot worm are:

  • Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
  • Spiderman The Movie - The Game.exe
  • Grand Theft Auto 3 CD1 ISO.exe
  • ZoneAlarm Firewall Pro.exe
  • Windows XP Professional iso.exe
  • Unreal Tournament cracked (works on all servers).exe
  • University Study Guide (cheat sheet).exe
  • Quicken Pro 2002 iso.exe
  • Perl Ultimate Study Guide.exe
  • Office XP Corporate Ed. iso.exe
  • Norton Utilities 2002.exe
  • Microsoft Visual C++ 7.0 iso.exe
  • MCSE Ultimate Study Guide.exe
  • Max Payne full iso.exe
  • Macromedia Flash 5.exe
  • Kazaa Advertisement Ad remover.exe
  • DSL Anonymizer.exe
  • DoS Attacker.exe
  • DivX Codec 6.0 beta (codec only).exe
  • Credit Card number generator VERIFIER (cc cc#).exe
  • cows gone wild.exe
  • 100 XXX Passwords (verified 3-24-02).exe

Sophos has a virus identity file that includes a fix for the KWBot virus here.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.