Worm Infiltrates Kazaa File-Swapping Network

[blackh0le]

- - - - -

Worm Infiltrates Kazaa File-Swapping Network

By Adam Creed, Newsbytes
MOSCOW, RUSSIA,
20 May 2002, 5:01 AM CST

File swappers logged on to the Kazaa peer-to-peer (P2P) network may download more than they bargained for, according to an anti-virus company's report of a new worm that is spreading over Kazaa.

Among the malicious features of "Worm.Kazaa.Benjamin" is its creation of a Web site in the infected computer's name filled with banner advertising.

Benjamin uses each infected computer to spread to more Kazaa users, Kaspersky Labs said Sunday. The worm creates a directory on each infected PC that is visible to other users of the P2P network.

Within that directory lives multiple copies of the worm under several thousand different names, the anti-virus firm said in an advisory.

When another Kazaa user looks for files that match any of the different names, they could unwittingly begin downloading the virus from the infected computer. Benjamin can then spread to other network users.

Kaspersky Labs said the worm also sets up an anonymous Web site for each infected PC. The site makes money for the virus creator from advertising banners, according to the advisory.

Market research firm Redshift recently estimated Kazaa on average had 1.4 million users logged on at any given time during April.

More information about "Worm.Kazaa.Benjamin" is at http://www.viruslist.com .

Reported By Newsbytes.com, http://www.newsbytes.com .

05:01 CST

(20020520/WIRES TOP, ONLINE, PC, LEGAL/KAZAA/PHOTO)

© 2002 The Washington Post Company

- - - - -

[KissCool]

Viruses to gain money with banners are fashions now!!!

[debwalin]

Chalk up one more reason not to use Kazaa, I suppose. As if I needed another one.

Deb

[dspeidel]

I stopped using kazza (cause it stopped finding files and has too much spyware) -I'm trying to finish what I have queued. Yesterday it began working again -I wonder if I'm downloading viruses (Norton confiured to auto uodate -will see what happens). Even prior to this many of my downloads were infected with one virus or another.

Cheers,
-D

[monoton]

There is already a tool to get rid off "Benjamin".

http://www.bitdefender.com/download/antibenjamin.exe

[cwk9]

When using p2p software it’s a good idea to stick to downloading non-executable files.

[monoton]

Its also a good idea to scan the downloaded files for viruses
before starting them...

In this case of the win32.worm.benjamin.a its even even simpler

If you download e.g. a music file thats got a file extension like mp3.scr
just delete it.

Mp3 screensavers are very rare, the chances getting this worm are much higher

[Und3ertak3r]

As always, this site has the news.. Wish I could just log on to this section of the forum at work. Would have saved me half an hour... yep had 2 machines in 2day with Kazza.Benj.. one of the ppl I had only removed Klez.h from last week and gave them my virus info sheet.. did they listen?..

Thanks for the info Blackh0le

For what it is worth here is an excerpt from a news bulliten from www.commandcentral.com
If it helps..

Worm/Kazaa.Benj that uses the file exchange P2P network Kazaa to
spread itself. It is written in Borland Delphi and is
approximately 216 kb in size The size of a file can vary since
the worm adds random data to itself to avoid detection.

The worm then copies itself in the \windows\%system% directory
under the filename "EXPLORER.scr".

Additionally, a set of random *.scr and *.exe files are created
in the /windows/Temp/sys32 folder.

So that it gets run each time a user restart their computer the
following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR

The following key also gets created:

HKEY_LOCAL_MACHINE\Software\Microsoft
"syscod"="00090D64D4700E36"

Once EXLPORER.scr is ran, it will create a large number of *.exe
and *.scr files with names assocaited with movie titles, song
titles, or T.V. shows (ie. Age of Empires ScreenSaver,
BlackHawkDown, NASCAR Heat-installer). A user searching for a
file in the Kazaa network finds it in the list of accessible
files on already infected machine. Kazaa newtork users then
download the worm and execute it. The worms payload is to open
the (benjamin.xww.de) website.

cheers

[lord_darkside_x]

there are about 6 million infected files on kazaa, by various viruses. just try to download a bunch of stuff.... you'll get at least one virus... all p2p is like that. stupid kiddies with no antivirus progs...

[RuffRyder]

o drat, hey guys what would u suggest as an alternate place to get mp3 and other files