Virus Writer Tries To Cash In With The New P2P Virus
Posted on 21 May 2002.
F-Secure warns computer users about a new worm which has quickly spread in the Kazaa file sharing networks. The virus, which is known as Benjamin, masquarades as popular music, video and software files to make it more likely users will download it.

The Benjamin worm uses Kazaa p2p (peer-to-peer) network to spread. Much like Napster, The Kazaa network allows its participants to exchange files with each other, using dedicated Windows-based software. Kazaa typically has more than one million users online at the same time, exchanging media files with each other.

Benjamin virus only works on Windows workstations which have the Kazaa program installed, When the virus is started, it shows a fake error message to the user:

Access error #03A:94574: Invalid pointer operation
File possibly corrupted.

After this the worm creates hundreds of files to the users hard drive and shares them to other Kazaa users. These files are actually copies of the worm itself, but they have been named to fool people into downloading them. Examples include:

"Deepest Purple-The Very Best of Deep Purple - Smoke on the Water"
"Metallica - Until it sleeps"
"Johann Sebastian Bach - Brandenburg Concerto No 4"
"South Park Vol.3-divx-full-downloader"
"Star wars Episode 1-divx-full-downloader"
"F1 Racing Championship-Games-full-downloader"
"Chessmaster 8000-Games-full-downloader"

The total list of filenames contains over 2000 entries. Apparently this list has been created by monitoring most popular searches being made in the Kazaa network. The size of the shared infected files varies between 200 and 800 kB. These files always .EXE or .SCR extension, but it has often been hidden by prepending dozens of space characters between the filename and the extension.

"Apparently the worm was written to make money for the virus writer", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. The worm opens a webpage named benjamin.xww.de which contained advertisments. "Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cashflow here".

Benjamin worm was found on Saturday the 18th of May. By Monday the 20th, a typical search in Kazaa network resulted in 20-30 infected files being offered for download, increasing the likelyhood of spreading infections.

F-Secure Anti-Virus detects and stops the Benjamin virus.

Technical description and screenshots of the Benjamin virus are available from:

http://www.F-Secure.com/v-descs/benjamin.shtml





Spotlight

The Software Assurance Marketplace: A response to a challenging problem

Posted on 20 October 2014.  |  The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has recognized how critical the state of software security is to the DHS mission.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //