Benjamin Worm Gets a "B" Version
Posted on 10.07.2002
Virus analyzed by:
Bogdan Dragu
BitDefender Virus Researcher

Name: Win32.Worm.Benjamin.B
Aliases: Worm.Kazaa.Benjamion (KAV)
Type: Executable Worm
Size: ~ 450 to 600 KB
Discovered: 8 July 2002
Detected: 8 July June 2002, 20:00 (GMT+2)
Spreading: Low
Damage: Low
ITW: Unknown

- the file explorer.scr in the Windows System folder;
- the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service with the value set to the pathname of the explorer.scr file;
- the temp\sys subfolder in the Windows folder;
- the registry entry HKLM\SOTWARE\Microsoft\syscod.

Technical description:

This is a new version of the Win32.Worm.Benjamin.A KaZaA network worm; the main difference is that version B no longer contains the names of media files to disguise as hard-coded within its body, but uses the names of files in the KaZaA shared folder instead. Like version A, the worm was written in Borland Delphi.

When executed for the first time, the virus sets the registry entry HKLM\SOTWARE\Microsoft\syscod to a random value (in the format of a hex number, eg: "03B03225C03105F16E"); this entry is used by the virus to determine whether it had already been installed. The virus also copies itself in the Windows System folder as "explorer.scr".

The subfolder "temp\sys32" in the Windows folder is then created and added to the list of KaZaA shared folders (by setting the value of the registry entry HKCU\Software\Kazaa\LocalContent\Dir1 or Dir2 etc., depending on already existing entries). There is a bug in the virus coding at this point: the KaZaA client starts searching for additional shared folders at the Dir0 (not Dir1) entry in the HKCU\Software\Kazaa\LocalContent key, and ignores subsequent entries if Dir0 is not found; however, if the Dir0 entry already existed, the virus is able to spread itself.

The virus then starts the KaZaA client and after having waited for the user to click OK in the following message-box:

it creates the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service and sets its value to the pathname of the dropped virus copy in the Windows System folder (explorer.scr); this causes the virus to be run each time Windows starts-up.
Every time the virus is run, it makes two copies of itself in the temp\sys32 subfolder in the Windows folder for every file in the main KaZaA shared folder; the copies have the same name, but are appended the extension .exe (preceeded by many whitespace characters) for the first copy and .scr for the second copy. The copies are appended random data at the end of the files.


Under certain conditions, the virus tries to open the web-site (which was closed after the spreading of the first version of Benjamin).

Manual Removal:

- delete the temp\sys32 subfolder in the Windows folder (which contains shared copies of the virus);
- remove the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service;
- delete the explorer.scr file in the Windows System folder.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th