"Worm" Crawls Into The KaZaA Network

Discussion in 'malware problems & news' started by Technodrome, May 18, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    The KaZaA file exchange network takes its turn as a virus victim.

    Kaspersky Labs, an international data-security software developer, announces the detection of the network worm "Worm.Kazaa.Benjamin" - the first malicious program to spread through the KaZaA file exchange network.

    The KaZaA network is one of the most popular file exchange networks using Peer-to-Peer (P2P) technology. Millions of people from all around the world are active users of the network that allows them to quickly dig up files they seek (such as MP3 files) and give other users access to data contained on their own computers.

    On an infected computer "Benjamin" creates a directory accessible to other users of the KaZaA network and regularly copies itself into this directory under a multitude of different names, the amount of which counts several thousand. When a network user conducts a search for a file under a name corresponding with one the worm's pseudonyms the unsuspecting user is given the chance to download it from the infected computer. Thus, this is how Benjamin spreads itself through the KaZaA network.

    In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays.

    "Benjamin" is not the first known worm to exploit public access P2P file exchange networks. Previously the Gnutella file exchange network fell victim to virus creators. "This event once again demonstrates the necessity to filter all incoming files for viruses, regardless of how well protected this or any other network is. Before use all data should be run through a mandatory check for virus code using the latest virus database update," commented Denis Zenkin, Kaspersky Labs Head of Corporate Communications.

    The defense against Benjamin is has already been added to the Kaspersky Anti-Virus database.

    More detailed information covering "Worm.Kazaa.Benjamin" can be accessed in the Kaspersky Virus Encyclopedia.

    source: http://www.avp.ru

    Technodrome
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Yep, I've seen reports of at least 20 infections at different boards already.

    The worm places an Explorer.scr file in the Windows\System folder, which it also registers for Startup.

    It then creates a Sys32 folder in the Windows\Temp directory which rapidly becomes bigger and bigger.

    This one's going to be popular. :rolleyes:
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    We've had a few submissions over the weekend as well, full detection added to TDS for the update to be released soon.

    Apart from the traces noted by TonyKlein, there is an autostart added here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System-Service

    And thats all, so an easy cleanup :) Kill the process running, remove the key, and delete all files detected as Worm.Kazaa.Benjamin
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    The Kaspersky Virus encyclopedia also mentions the creation of the following key:

    [HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"

    I was pleasantly surprised to see that Nod32 already includes this one in the latest virus definitions, as well as the very 'popular' Win32/Autoupder:

    NOD32 - v.1.259 (20020518 )  
    Virus signature database updates:
    Win32/Aeon.10, Win32/Arsd, Win32/Autoupder, Win32/Bionet.402, Win32/Bionet.402.Plugin, Win32/Bionet.403, Win32/BO2K.I, Win32/BO2K.Plugin.Umgr, Win32/BO2K.Workspace, Win32/CmjSpy.10, Win32/Cyn.21, Win32/DarkSky.10, Win32/DarkSky.23, Win32/Kazaa.Benjamin
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Just learned that Bitdefender has issued a removal tool for this one: http://www.bitdefender.com/download/antibenjamin.exe
     
  6. snowman

    snowman Guest

       Please excuse my intrusion

       just a note:    McAfee as of 4 p.m. EST (US) has not updated anything in regards to this worm


                            snowman
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Found the following information at PCflank.com:

                           'Benjamin' Worm infiltrates Kazaa network
                           May 21, 2002

                           KaZaa, a popular file-trading network, is infected with
                           a worm. Known as w32.Benjamin, the worm spreads by
                           disguising itself as a popular film, music, or software.
                           'Benjamin" is the first worm found to infect the Kazaa
                           network.

                           When the worm is installed, it generates an error report
                           such as this:

                           Access error #03A:94574:
                           nvalid pointer operation File possibly corrupted.

                           To spread, the worm requires the Kazaa software to be
                           installed on the machine. It creates a directory called
                           %WINDIR%\TEMP\SYS32, and changes the user's KaZaa
                           settings so that the new directory is accessible to all
                           Kazaa users. Then it copies itself to that directory
                           under various names (names of popular motion pictures,
                           MP3s, games, and so forth), which other users may search
                           for.

                           Once the worm is downloaded onto another computer and
                           executed, it repeats the process.

                           But actually, Benjamin's effects appear to only be to
                           open a web page filled with banner advertising. Although
                           Paul Komoszki, one of virus creators has claimed
                           'Benjamin" was created "to frustrate Internet users
                           searching for pirated software and child pornography"
                           actually the worm may have been written with a
                           commercial motivation to make money from advertising
                           banners.

                           The site, operated by Komoszki, has been shut down "due
                           to massive abuse" according to a message at the page.

                           Kazaa users are recommended to update their antivirus
                           software with new virus definitions. To prevent
                           infection users can also specify that file types such as
                           "exe", "scr", and "vbs" be excluded from their search
                           requests in Kazaa network.

                           Article at: http://www.pcflank.com/news210502.htm

    Smokey
     
Loading...
Thread Status:
Not open for further replies.