The KaZaA Virus... - P2P-Zone

Mowzer · 19-05-02, 06:21 AM

Viruslist.com...

This worm uses the Kazaa file exchange P2P network to spread itself. The Kazaa network allows its users to exchange files with each other using the Kazaa client software. To learn more about the Kazaa network visit their site at: http://www.kazaa.com.

Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with "dust" for masking.

Install
Firstly the worm shows a false error report:

Error
Access error #03A:94574: Invalid pointer operation
File possibly corrupted.
[ OK ]

It copies itself to the %WinDir%\SYSTEM directory as: EXPLORER.SCR.
Benjamin then creates two keys in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run] "System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
[HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"

The worm executes after system restarts.

Spreading can only take place if the KaZaa P2P client (software) is installed. Benjamin reads the system registry for information on the Kazaa client and creates the

%WinDir%\Temp\Sys32

directory catalog that registers as the directory accessible to all KaZaa network users. It fills this directory with copies of itself listed under numerous various names from a list contained in the body of the worm.

Spreading occurs as follows. A "victim" searching for a file in the KaZaa network finds it in the list of accessible files on already infected machine. Not suspecting a problem the user downloads this file and opens it, thus infecting his or her own machine.

Effects
The worm opens the benjamin.xww.de Web-site to display an advertisement.

Finally a worm targeted for the KaZaA network

Some one on the comp tech area of napsterites posted about being hit with benjamin, put did not put a name to it.

19-05-02, 06:21 AM	#1
Mowzer ' Join Date: Jan 2002 Posts: 209	The KaZaA Virus... Viruslist.com... This worm uses the Kazaa file exchange P2P network to spread itself. The Kazaa network allows its users to exchange files with each other using the Kazaa client software. To learn more about the Kazaa network visit their site at: http://www.kazaa.com. Benjamin is written in Borland Delphi and is approximately 216 Kb in size - it is compressed by the AsPack utility. The size of a file can vary greatly as the worm ends each file with "dust" for masking. Install Firstly the worm shows a false error report: Error Access error #03A:94574: Invalid pointer operation File possibly corrupted. [ OK ] It copies itself to the %WinDir%\SYSTEM directory as: EXPLORER.SCR. Benjamin then creates two keys in the system registry: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run] "System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR" [HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1" The worm executes after system restarts. Spreading can only take place if the KaZaa P2P client (software) is installed. Benjamin reads the system registry for information on the Kazaa client and creates the %WinDir%\Temp\Sys32 directory catalog that registers as the directory accessible to all KaZaa network users. It fills this directory with copies of itself listed under numerous various names from a list contained in the body of the worm. Spreading occurs as follows. A "victim" searching for a file in the KaZaa network finds it in the list of accessible files on already infected machine. Not suspecting a problem the user downloads this file and opens it, thus infecting his or her own machine. Effects The worm opens the benjamin.xww.de Web-site to display an advertisement. Finally a worm targeted for the KaZaA network Some one on the comp tech area of napsterites posted about being hit with benjamin, put did not put a name to it.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode