Stopping the Benjamin worm
How it works
Benjamin infects only users of the KaZaa file-sharing network. When first infected, users will see an error message such as this:
- Access error #03A:94574: Invalid pointer operation
File possibly corrupted.
Benjamin creates a copy of itself as explorer.scr in the Windows/System directory. It also changes the following Registry files:
=clear all="">
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun System-Service"="C:WINDOWSSYSTEMEXPLORER.SCR
HKEY_LOCAL_MACHINESoftwareMicrosoft"syscod"="00090D64D4700E36"
so that explorer.scr is run every time the infected computer is rebooted.
Benjamin creates a new directory, sys32, in the infected user's system Registry and changes the user's KaZaa settings so that the new directory is accessible to all KaZaa users. Benjamin fills this new directory with copies of itself. Not all of these copies are the same size; some can include filler that increases their size to two to threes times the length of the original worm.
Benjamin spreads by using the names of popular motion pictures, MP3s, games, and so forth; when a KaZaa user searches for a popular title, an infected copy may show up in the search results. The worm got its name from a banner-advertising site that has since been shut down and that displays the following message:
- Domain closed due to massive abuse.
Prevention
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, Kaspersky,McAfee, or Trend Micro.