The KaZaA Virus...

[Mowzer]

Viruslist.com...

This worm uses the Kazaa file exchange P2P network to spread itself. The Kazaa network allows its users to exchange files with each other using the Kazaa client software. To learn more about the Kazaa network visit their site at: http://www.kazaa.com.

Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with "dust" for masking.

Install
Firstly the worm shows a false error report:


Error
Access error #03A:94574: Invalid pointer operation
File possibly corrupted.
[ OK ]


It copies itself to the %WinDir%\SYSTEM directory as: EXPLORER.SCR.
Benjamin then creates two keys in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run] "System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
[HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"

The worm executes after system restarts.

Spreading can only take place if the KaZaa P2P client (software) is installed. Benjamin reads the system registry for information on the Kazaa client and creates the

%WinDir%\Temp\Sys32

directory catalog that registers as the directory accessible to all KaZaa network users. It fills this directory with copies of itself listed under numerous various names from a list contained in the body of the worm.

Spreading occurs as follows. A "victim" searching for a file in the KaZaa network finds it in the list of accessible files on already infected machine. Not suspecting a problem the user downloads this file and opens it, thus infecting his or her own machine.

Effects
The worm opens the benjamin.xww.de Web-site to display an advertisement.

Finally a worm targeted for the KaZaA network
Some one on the comp tech area of napsterites posted about being hit with benjamin, put did not put a name to it.

[JackSpratts]

"Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with 'dust' for masking."

___________________________________________________________


what's "dust"?

- js.

[smokey227]

New to Napsterites although I've been listening for the last couple of months. First let me say how great I think the site & all of you are. I have learned so much & the great (& helpful) attitude of everyone is beyond words.

Now that I've gotten that out, pardon if this is a stupid question but....

1) if this affects files on FastTrack and Grokster has access to the Kazaa files on FastTrack, does this mean that those using Grokster can also become infected?

2) I'm assuming this also affects anyone who loaded Kazaa Lite - correct?

[Mowzer]

Edit due to misdefinition.

[HAL9000]

smokey227, Welcome to The Underground Napster Forum!!
I think you're right

Jack, I guess "dust" means paddings from other files, so infected file size is not consitent.

edit: Ethen took my posting position... dammit

[indiana_jones]

as i read it:

it does not affect files on fasttrack, but it creates fake files with names which are commonly shared on fasttrack.
(in principle this could be applied also to other p2p).

the only thing which is really related to fasttrack itself is, that the worm adds the folder, where it creates the files, to the shared folder list in the registry.

the fake files are some executables and must be executed by user for the worm to become active.

mp3s and all files, which become not in any kind active and cannot transport viruses cannot spread this worm.

i think: everybody who downloads executables of any kind from any p2p must be aware that each file she/he starts can contain a NEW virus or worm.

comments are welcome.

indy

[HaXor]

I recently caught this worm (I deleted it today, after noticing somthing was wrong).

I first noticed something was up, when 2 gig's suddenly got used up.... but did nothing about it.

Second... people on kazaa kept messaging me about files I didnt have eg: How does this downloader work? etc, so I looked in "My KaZaA" and found I was shareing 4440 files!!.. when I knew it should be more like 350 files, thats when it clicked.

After searching my system, I found the folder in widows/temp... files and files (mainly fake music files and downloaders).. I looked at my zone alarm logs and found the "explorer.scr" - so I deteted that and every trace of the worm (now it restarts clean).

But zone alarm still reports calls, trying to access the same port as kazaa (1214) every second, you should see my logs, lol

Im afraid that this Worm might have spread to far, and will cripple the fasttrack network.

[HaXor]

One more thing..... I think I remeber when I caught this "worm".
It showed up (for me) as a windows media icon - so beware of music and video files, it doesnt show up as a standard *.exe

[theknife]

Quote:

Originally posted by smokey227
1) if this affects files on FastTrack and Grokster has access to the Kazaa files on FastTrack, does this mean that those using Grokster can also become infected?

you know it, cookie...I caught it from Grokster last night. Fucked me up royally for several hours.....I agree with Indy as to the wisdom of not d/ling any executables. It replicated in my system as hundreds of files with the names of popular songs, games, software, videos etc...and the only tip-off was that all of them were approximately 550k - 580k in size. So the only piece of advice I can add is to check the size of the song you are d/ling - anything in that range should be highly suspect.

[JackSpratts]

Let's be clear on this for the benefit of guests. If your folder option in explorer is set to show actual file endings (which it should be for safety) then Dust (or whatever) can't fool you into opening up a trojan mp3. The file might say "Lars Ulrich - RIAAStoolie - Whiner Rant.mp3.vbs" - 11k So don't open it because you'll know that's a bad file - in this case because the real ending, the last 3 charecters displayed, are .vbs. But as long as the REAL ending is .mp3 you'll be ok, correct?

In other words if the last 3 charecters are MP3 you're safe, dust or no dust. Right?

Exe's are another matter entirely of course. I'm concerned here only with music in this post.

>>>>>>hi smokey! welcome. good to see you on the boards. <<<<<<

- js.

[RDixon]

well, that explains why I have been getting tons of hits on port 1214 over the past couple of days. damn these asswipe virus writters that slow the net down worse than it already was! They should be hung upside down and force fed overdoses of laxitives and left like that for a few days.
back when code red was in full swing i got so many hits per hour i just disabled logging.

[smokey227]

OK - bottom line, what should I look for on my computer & which folders & then what should I do to keep my system clean of this worm? If Jack is correct about mp3 extensions being OK, that's easy enough for those. I already checked Norton & McAfee to see if they had this in their virus definitions yet & they don't.

I already had a virus crash my system last December to the state of inoperable so I don't want to go through that again. And I sure don't want to pass a virus on to others but not sure what to check for.

[Mowzer]

Smokey 227,

Benjamin as was posted above is not a virus but rather a trojan.
It is also a variant of the original file.

Some people have found the following sysmptoms.

I have found a virus when running my latest version of AVG
and the software calls the virus "hidden extension exe". It is
located in a /sys folder with the windows /temp folder.

The software heals the infected files but as soon as I re-boot my
PC, the infection returns. I've tried several different virus detection
software packages (Norton, McAfee, etc) but these find nothing...
-----------------------------------------------------------------------------------
All,
Based on the time that we all started having trouble, it sure points to
KaZaa. Explorer.scr soaked up every bit of my processing bandwidth and put
me into a BSoD every time I booted to Windows. Even a boot to safe mode
wouldn't let me delete the windows\temp\sys32 directory. Had to do that from
DOS. Finally cured the problem by deleting Explorer.scr.

Also, I had something building scr/executable files from downloads in my
KaZaa storage folder. They would show as an xxx.mp3 with .exe displayed far
to the right. The file took the name of the original file. File size was
always around 600k.
----------------------------------------------------------------------------------

I have the exact same problem. Has anyone downloaded and launched a
file called something like "<filenameX>-full-downloader.exe"? Stupidly
and against any common sense, I downloaded and launched a file like
that... Soon afterward, I started noticing the "EXPLORER.SCR" problem
(i.e. thousands of .exe and .scr files clogging up my hard drive in
the folder C:\WINDOWS\Temp\sys32). So, I think the "full-downloader"
might be linked to the problem, if anyone can confirm.
----------------------------------------------------------------------------------
Yep ! I did exactly the same thing and got exactly the same problem. As soon
as I deleted EXPLORER.SCR problem solved. I'm sure it came from the "Full
downloader" file.
----------------------------------------------------------------------------------

It turns out as i mentioned at the top of this thread, the file Explorer.scr contains a now identified file BackDoor-AEG a lil trojan.

The reason most AV's have not been detecting it is because of the newness factor. When bad code hits the wild, its not instantly detectable.

The answer to you question of how to detect it, well you could trash the explorer.scr file. Or just wait. Soon all the avs will offer coverage. Symantec has just added detection for it as "Backdoor.Trojan"

The sad thing is not all AV comapnies lable bad code universally.
so it gets confusing.

Here is a report on the virus: The original file was made available to Kazaa probably just a few days
ago. It was most likely ~410-460 KB in size (at least my client's
was). The size seems to be deliberately random to insure it cannot be
detected by a fixed file size.

It could have any name, and is not just related to files named such
as:
<filenameX>-full-downloader.exe, although the filenames seem to be produced from several key phrases.

The downloaded bot either has an .scr, .exe, or an .exe with a
variable number of spaces between the file name and the extension,
such as:
filename .exe

The first time it runs it creates the sys32 directory under the 'Temp'
directory of the O/S base directory, copies itself as explorer.scr to
the 'System' directory of the O/S base, and creates a startup entry
for this file. It appears as it's original filename under the task
manager the first time it runs, but appears as 'explorer.scr' for all
subsequent loads.

It then copies itself to the created sys32 directory and pads the file
size with random number of bytes so it will be between ~410-460 KB in
size. This insure it cannot be detected by file size alone. It then
proceeds to produce copy after copy of itself with different names.
Most of the filenames seem to be produced from internal data since I
tested it on a spare machine and did not provide a network connection
(a must when testing viruses etc.), and it still created 500+ copies
of itself with unique filenames. It also produces filenames from the
files in your Kazaa shared directory. For these, it uses each name to
produce two copies of itself. One with an .exe extension, and one with
a .scr extension.

Now for the the bad part and the reason it might spread fast. When you
launch Kazaa, the bot makes sure that Kazaa shares the infected files
in the OS-Dir/Temp/sys32 directory. Since this seems to be
approximately 2 files for each megabyte of free space on the O/S

this can result in hundreds or thousands of infected files that
are shared via your computer (I'm not really sure what the limit on
the number of unique file names is). In other words, if you are
infected, you are most likely sharing more infected files than clean
files.


So here's the event chain:

You download an infected file from Kazaa.

When run, it copies itself to the 'system' directory under the O/S
base directory as 'explorer.scr' and creates a 'startup' entry to
auto-load it on boot up.

It then produces the sys32 directory and copies itself there with a
new name. It then creates as many copies with unique filenames as
possible, depending of file space available, or available filenames.

When Kazaa is launched, the sys32 directory containing the
infected/bot files is forced to the share state where they now become
available for download via your computer, and the process continues.


Note: These tests were done under time constraints and various modes
were not tested. For instance, I did not have time to place a packet
sniffer on the network to see what would happen if I had allowed it to
access the network, etc. Since I know it forces the sharing of the
infected files via Kazaa, that's already a problem, and it's easy to
diagnose. I also did not want to place any other machine or user at
peril.

It appears this attack is aimed specifically at the Kazaa network of
computers because of the way it operates (ie, it knows the path format
and how to force sharing of the infected files, etc.). I'm sure a
minimal amount of work would be required to target other file sharing
systems, but I hope it does not come to this.

Worm.Kazaa.Benjamin appears This appears to be a
variant, since it does not present an error message, nor does it
redirect to a web site (at least not the one I found). This behavior
might have been introduced to hide itself better.

All copies produced are about 410-460KB for mine, and the files seem
to be rather full of data. There might have been some additional code
added to modify the file names, etc (I'm not really sure).

I have retained a functioning copy and may play with it to see if
there is any other hidden damage produced.

Thats that. Hopefully it offers you and other some insight on what the little bugger is, and some ways to kill him.

[twinspan]

nice post Ethen, I'd been wondering about those 'full-downloader' files.

PS @ fellow FT users, I just filter them out in Grokster by either or both of these methods:

a) in the Search bar, select More Search Options > Size > 'At Least' & '1,00KB'. (actually, I was already doing size filtering for most kinds of media just for quality reasons).

b) in Search Bar or Tools> Options, select Filter and add 'downloader' to the blocklist. Now searches won't fill up with results from these 'full-downloader' files. This method is good when searching the 'Everything' category, which doesn't allow size filtering, or when you need something of a size similar to this trojan/worm.

[spstn]

I posted this info previously in another thread. The original post belonged to BuzzB2K. So credits go to him.

" Changing the Default Action for VBS Scripts to Edit.

You can change the default action for .VBS, .VBE, .JS, .JSE and .WSH files. When installed, these extensions are configured to default to 'Open'. If this default action is changed to 'Edit', scripts will open in a text editor instead of executing, which effectively renders them harmless.

To change the default action for these three extensions:


1) Open up 'Windows Explorer'
2) Under the 'View' menu select 'Options…' or 'Folder Options…'
3) Single click on the 'File Types' tab
4) Scroll down the list until you find 'VBScript Script File'. Single click on it and click the 'Edit…' button
5) Where it says 'Actions' look for 'Edit'. Single click on it and then click the button that says 'Set Default'
6) Click the 'Close' button
7) Repeat steps 4-6 for 'VBScript Encoded Script File' (skip this step if it is not listed)
8) Repeat steps 4-6 for 'JScript Script File'
9) Repeat steps 4-6 for 'JScript Encoded Script File'
10) Repeat steps 4-6 for 'Windows Scripting Host Settings File'

Now VBS scripts, which is how these virii are spreading, will just open harmlessly in notepad. Problem solved.

After neutering the Script Files you can go to your shared folder and delete the little buggers!! "

Now me again: You can add as many file extensions as you need to feel secure, ie: like adding .scr to the list.
You can still use the "run" command in your "Start" menu to run any exe file or "shift-right click" to get the "open with" option in the explore context menu to open any other file after proper verification. Of course you can always open or play them from within a program or player.

I haven't run into this worm yet, but I've taken an extra couple of precautionary measures just in case:

1) I created this entry in my Host file "127.0.0.1 benjamin.xww.de" (without quotations). This way the rogue site can't be accessed because this is my computer IP and will time out for ever.

2) I created the folder Sys32 in %WinDir%\Temp\ , and changed its attributes to "read only". In theory this should interfere with the execution of the worm registry entries.

I'm not planning to test this, so if any of the most experienced users know if this can "fly" please fell free to expand on it.

[pod]

Quote:

Originally posted by spstn
Changing the Default Action for VBS Scripts to Edit.

Just so people don't think this will protect them from this worm, Benjamin does not use VBS, it a compiled, independant application.

[Mowzer]

...Or better yet, put kazaa where it belongs, flush it down the kazaa.

[butterfly_kisses]

Hi spstn

thanks for reposting that here


(please PM me the other info you had on GoBack i wouldlike to see it...it sounds interesting)

Quote:

2) I created the folder Sys32 in %WinDir%\Temp\ , and changed its attributes to "read only". In theory this should interfere with the execution of the worm registry entries

sorry, bud this won't work...i tried it but new files can still be added to read-only folders.

i wish there was a way to protect your registry in 'real time' but most programs i know of like start-up monitor and the Cleaner only monitor changes made to registry that involves launching programs automatically upon windows loading...usually contained in this key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run or

one of its variants like -Run, run services or run once etcetera.


Thanks also Pod for the clarification about the Benjamin worm and that it is not a VBS born script virus

Ethen you seem to have a huge knowlege of these things...why do you know so much about viruses and trojans? something you'd like to tell us,,,maybe ???

So what you guys are telling me is that this virus is an executable disguised as something else like a mp3.exe is that what you mean by "dust"?

thanks for the info Ethen and everyone else who posted

Hey, to TG

[spstn]

Non other than "Da Boss" himself, JackSpratts, a real experienced poster (1835 posts) wrote in this very same thread:

"Let's be clear on this for the benefit of guests. If your folder option in explorer is set to show actual file endings (which it should be for safety) then Dust (or whatever) can't fool you into opening up a trojan mp3. The file might say "Lars Ulrich - RIAAStoolie - Whiner Rant.mp3.vbs" - 11k So don't open it because you'll know that's a bad file - in this case because the real ending, the last 3 charecters displayed, are .vbs. But as long as the REAL ending is .mp3 you'll be ok, correct? "

So I guess BuzzB2K original recommendation about changing .vbs extensions stand correct and will PROTECT anyone opening them by mistake.
However, for the sake of anyone that could confuse an application like this worm (benjamin) with a vbs script, there is not need to worry because they are two different things: an application is an application and a vbs script is a vbs scrip.

[Mowzer]

Maybe we should all add .bat to the list