BitDefender Virus Researcher
Aliases: Worm.Kazaa.Benjamion (KAV)
Type: Executable Worm
Size: ~ 450 to 600 KB
Discovered: 8 July 2002
Detected: 8 July June 2002, 20:00 (GMT+2)
- the file explorer.scr in the Windows System folder;
- the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service with the value set to the pathname of the explorer.scr file;
- the temp\sys subfolder in the Windows folder;
- the registry entry HKLM\SOTWARE\Microsoft\syscod.
This is a new version of the Win32.Worm.Benjamin.A KaZaA network worm; the main difference is that version B no longer contains the names of media files to disguise as hard-coded within its body, but uses the names of files in the KaZaA shared folder instead. Like version A, the worm was written in Borland Delphi.
When executed for the first time, the virus sets the registry entry HKLM\SOTWARE\Microsoft\syscod to a random value (in the format of a hex number, eg: "03B03225C03105F16E"); this entry is used by the virus to determine whether it had already been installed. The virus also copies itself in the Windows System folder as "explorer.scr".
The subfolder "temp\sys32" in the Windows folder is then created and added to the list of KaZaA shared folders (by setting the value of the registry entry HKCU\Software\Kazaa\LocalContent\Dir1 or Dir2 etc., depending on already existing entries). There is a bug in the virus coding at this point: the KaZaA client starts searching for additional shared folders at the Dir0 (not Dir1) entry in the HKCU\Software\Kazaa\LocalContent key, and ignores subsequent entries if Dir0 is not found; however, if the Dir0 entry already existed, the virus is able to spread itself.
The virus then starts the KaZaA client and after having waited for the user to click OK in the following message-box:
it creates the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service and sets its value to the pathname of the dropped virus copy in the Windows System folder (explorer.scr); this causes the virus to be run each time Windows starts-up.
Every time the virus is run, it makes two copies of itself in the temp\sys32 subfolder in the Windows folder for every file in the main KaZaA shared folder; the copies have the same name, but are appended the extension .exe (preceeded by many whitespace characters) for the first copy and .scr for the second copy. The copies are appended random data at the end of the files.
Under certain conditions, the virus tries to open the web-site benjamin.xww.de (which was closed after the spreading of the first version of Benjamin).
- delete the temp\sys32 subfolder in the Windows folder (which contains shared copies of the virus);
- remove the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\System-Service;
- delete the explorer.scr file in the Windows System folder.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.