Latest news
Benjamin Worm Gets a "B" Version
Posted on 10.07.2002
Virus analyzed by:
Bogdan Dragu
BitDefender Virus Researcher
http://www.bitdefender.com
Name: Win32.Worm.Benjamin.B
Aliases: Worm.Kazaa.Benjamion (KAV)
Type: Executable Worm
Size: ~ 450 to 600 KB
Discovered: 8 July 2002
Detected: 8 July June 2002, 20:00 (GMT+2)
Spreading: Low
Damage: Low
ITW: Unknown
Symptoms:
- the file explorer.scr in the Windows System folder;
- the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service with the value set to the pathname of the explorer.scr file;
- the temp\sys subfolder in the Windows folder;
- the registry entry HKLM\SOTWARE\Microsoft\syscod.
Technical description:
This is a new version of the Win32.Worm.Benjamin.A KaZaA network worm; the main difference is that version B no longer contains the names of media files to disguise as hard-coded within its body, but uses the names of files in the KaZaA shared folder instead. Like version A, the worm was written in Borland Delphi.
When executed for the first time, the virus sets the registry entry HKLM\SOTWARE\Microsoft\syscod to a random value (in the format of a hex number, eg: "03B03225C03105F16E"); this entry is used by the virus to determine whether it had already been installed. The virus also copies itself in the Windows System folder as "explorer.scr".
The subfolder "temp\sys32" in the Windows folder is then created and added to the list of KaZaA shared folders (by setting the value of the registry entry HKCU\Software\Kazaa\LocalContent\Dir1 or Dir2 etc., depending on already existing entries). There is a bug in the virus coding at this point: the KaZaA client starts searching for additional shared folders at the Dir0 (not Dir1) entry in the HKCU\Software\Kazaa\LocalContent key, and ignores subsequent entries if Dir0 is not found; however, if the Dir0 entry already existed, the virus is able to spread itself.
The virus then starts the KaZaA client and after having waited for the user to click OK in the following message-box:
it creates the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service and sets its value to the pathname of the dropped virus copy in the Windows System folder (explorer.scr); this causes the virus to be run each time Windows starts-up.
Every time the virus is run, it makes two copies of itself in the temp\sys32 subfolder in the Windows folder for every file in the main KaZaA shared folder; the copies have the same name, but are appended the extension .exe (preceeded by many whitespace characters) for the first copy and .scr for the second copy. The copies are appended random data at the end of the files.
Payload:
Under certain conditions, the virus tries to open the web-site benjamin.xww.de (which was closed after the spreading of the first version of Benjamin).
Manual Removal:
- delete the temp\sys32 subfolder in the Windows folder (which contains shared copies of the virus);
- remove the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service;
- delete the explorer.scr file in the Windows System folder.
Bogdan Dragu
BitDefender Virus Researcher
http://www.bitdefender.com
Name: Win32.Worm.Benjamin.B
Aliases: Worm.Kazaa.Benjamion (KAV)
Type: Executable Worm
Size: ~ 450 to 600 KB
Discovered: 8 July 2002
Detected: 8 July June 2002, 20:00 (GMT+2)
Spreading: Low
Damage: Low
ITW: Unknown
Symptoms:
- the file explorer.scr in the Windows System folder;
- the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service with the value set to the pathname of the explorer.scr file;
- the temp\sys subfolder in the Windows folder;
- the registry entry HKLM\SOTWARE\Microsoft\syscod.
Technical description:
This is a new version of the Win32.Worm.Benjamin.A KaZaA network worm; the main difference is that version B no longer contains the names of media files to disguise as hard-coded within its body, but uses the names of files in the KaZaA shared folder instead. Like version A, the worm was written in Borland Delphi.
When executed for the first time, the virus sets the registry entry HKLM\SOTWARE\Microsoft\syscod to a random value (in the format of a hex number, eg: "03B03225C03105F16E"); this entry is used by the virus to determine whether it had already been installed. The virus also copies itself in the Windows System folder as "explorer.scr".
The subfolder "temp\sys32" in the Windows folder is then created and added to the list of KaZaA shared folders (by setting the value of the registry entry HKCU\Software\Kazaa\LocalContent\Dir1 or Dir2 etc., depending on already existing entries). There is a bug in the virus coding at this point: the KaZaA client starts searching for additional shared folders at the Dir0 (not Dir1) entry in the HKCU\Software\Kazaa\LocalContent key, and ignores subsequent entries if Dir0 is not found; however, if the Dir0 entry already existed, the virus is able to spread itself.
The virus then starts the KaZaA client and after having waited for the user to click OK in the following message-box:
it creates the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service and sets its value to the pathname of the dropped virus copy in the Windows System folder (explorer.scr); this causes the virus to be run each time Windows starts-up.
Every time the virus is run, it makes two copies of itself in the temp\sys32 subfolder in the Windows folder for every file in the main KaZaA shared folder; the copies have the same name, but are appended the extension .exe (preceeded by many whitespace characters) for the first copy and .scr for the second copy. The copies are appended random data at the end of the files.
Payload:
Under certain conditions, the virus tries to open the web-site benjamin.xww.de (which was closed after the spreading of the first version of Benjamin).
Manual Removal:
- delete the temp\sys32 subfolder in the Windows folder (which contains shared copies of the virus);
- remove the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service;
- delete the explorer.scr file in the Windows System folder.
Spotlight
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
To hack back or not to hack back?
Posted on 12 June 2013. | If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. But is it a good idea?
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
