Browse archive

Latest news

Targeted data stealing attacks using fake attachments

A look into the EC Council hack

New Mac spyware signed with legitimate Apple Developer ID

Ransomware adds password stealing to its arsenal

"Get free followers" scam targets Instagram users

Thoughts on the need for anonymity

Four LulzSec hackers handed prison sentences

The New Yorker launches anonymous dead-drop tool

Researchers reveal OpUSA attackers' MO

Info-stealing Dorkbot worm spreading on Facebook

Review: The Hacker's Guide to OS X

Private messages of Bloomberg clients end up online

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

Virus Writer Tries To Cash In With The New P2P Virus

Posted on 21 May 2002.

F-Secure warns computer users about a new worm which has quickly spread in the Kazaa file sharing networks. The virus, which is known as Benjamin, masquarades as popular music, video and software files to make it more likely users will download it.

The Benjamin worm uses Kazaa p2p (peer-to-peer) network to spread. Much like Napster, The Kazaa network allows its participants to exchange files with each other, using dedicated Windows-based software. Kazaa typically has more than one million users online at the same time, exchanging media files with each other.

Benjamin virus only works on Windows workstations which have the Kazaa program installed, When the virus is started, it shows a fake error message to the user:

Access error #03A:94574: Invalid pointer operation
File possibly corrupted.

After this the worm creates hundreds of files to the users hard drive and shares them to other Kazaa users. These files are actually copies of the worm itself, but they have been named to fool people into downloading them. Examples include:

"Deepest Purple-The Very Best of Deep Purple - Smoke on the Water"
"Metallica - Until it sleeps"
"Johann Sebastian Bach - Brandenburg Concerto No 4"
"South Park Vol.3-divx-full-downloader"
"Star wars Episode 1-divx-full-downloader"
"F1 Racing Championship-Games-full-downloader"
"Chessmaster 8000-Games-full-downloader"

The total list of filenames contains over 2000 entries. Apparently this list has been created by monitoring most popular searches being made in the Kazaa network. The size of the shared infected files varies between 200 and 800 kB. These files always .EXE or .SCR extension, but it has often been hidden by prepending dozens of space characters between the filename and the extension.

"Apparently the worm was written to make money for the virus writer", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. The worm opens a webpage named benjamin.xww.de which contained advertisments. "Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cashflow here".

Benjamin worm was found on Saturday the 18th of May. By Monday the 20th, a typical search in Kazaa network resulted in 20-30 infected files being offered for download, increasing the likelyhood of spreading infections.

F-Secure Anti-Virus detects and stops the Benjamin virus.

Technical description and screenshots of the Benjamin virus are available from:

http://www.F-Secure.com/v-descs/benjamin.shtml