Worm/Kazaa.Benj that uses the file exchange P2P network Kazaa to
spread itself. It is written in Borland Delphi and is
approximately 216 kb in size The size of a file can vary since
the worm adds random data to itself to avoid detection.
The worm then copies itself in the \windows\%system% directory
under the filename "EXPLORER.scr".
Additionally, a set of random *.scr and *.exe files are created
in the /windows/Temp/sys32 folder.
So that it gets run each time a user restart their computer the
following registry key gets added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR
The following key also gets created:
HKEY_LOCAL_MACHINE\Software\Microsoft
"syscod"="00090D64D4700E36"
Once EXLPORER.scr is ran, it will create a large number of *.exe
and *.scr files with names assocaited with movie titles, song
titles, or T.V. shows (ie. Age of Empires ScreenSaver,
BlackHawkDown, NASCAR Heat-installer). A user searching for a
file in the Kazaa network finds it in the list of accessible
files on already infected machine. Kazaa newtork users then
download the worm and execute it. The worms payload is to open
the (benjamin.xww.de) website.