X
Tech
Home Tech Security

Stopping the Benjamin worm

KaZaa is infected with a cleverly designed worm, Benjamin, which spreads by disguising itself as a popular film, song, or game title.
Written by Robert Vamosi, Contributor
KaZaa, a popular peer-to-peer network, is infected with a cleverly designed worm. Benjamin, w32.benjamin, also known as w32.fillhdd.a, spreads by disguising itself as a popular film, song, or game title. Once downloaded, it can fill an infected user's hard drive with thousands of copies of itself. Only Windows users of KaZaa can be infected with Benjamin. Because it does not spread by e-mail or destroy data on infected machines, it currently ranks a 2 on the ZDNet Virus Meter.

How it works
Benjamin infects only users of the KaZaa file-sharing network. When first infected, users will see an error message such as this:

    Access error #03A:94574: Invalid pointer operation File possibly corrupted.

Benjamin creates a copy of itself as explorer.scr in the Windows/System directory. It also changes the following Registry files:

=clear all="">

    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun System-Service"="C:WINDOWSSYSTEMEXPLORER.SCR

    HKEY_LOCAL_MACHINESoftwareMicrosoft"syscod"="00090D64D4700E36"

so that explorer.scr is run every time the infected computer is rebooted.

Benjamin creates a new directory, sys32, in the infected user's system Registry and changes the user's KaZaa settings so that the new directory is accessible to all KaZaa users. Benjamin fills this new directory with copies of itself. Not all of these copies are the same size; some can include filler that increases their size to two to threes times the length of the original worm.

Benjamin spreads by using the names of popular motion pictures, MP3s, games, and so forth; when a KaZaa user searches for a popular title, an infected copy may show up in the search results. The worm got its name from a banner-advertising site that has since been shut down and that displays the following message:

    Domain closed due to massive abuse.

Prevention
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, Kaspersky,McAfee, or Trend Micro.



Editorial standards
Show Comments

Related

Private space Android 15

Android 15 unveiled: Here are 8 exciting (or handy) features coming to your phone

Hackbat

Meet Hackbat: An open-source, more powerful Flipper Zero alternative

Google's app security settings for Android

Here are the top five Android 15 features I love the most