Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Kazaa.Benjamin

Aliases: W32.Benjamin.Worm, Kazaa worm, Worm.Kazaa.Benjamin

Win32/Kazaa.Benjamin is a worm written in Delphi.  It isable to spread in the P2P (peer-to-peer) network Kazaa.  Kazaa is an exchange system enabling sharing files by means of the internet.  The worm body is compressed by the utility Aspack. For its activity the worm Win32/Kazaa.Benjamin needs an Windows 95 operating system or later version.  The length of the worm changes as it is able to add random data to its body.  The worm is activated when the user runs the file with the worm he received by means of Kazaa.  The worm displays a window with a fake message reporting an error:

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

Win32/Kazaa.Benjamin gets copied into the directory %windir%/System as the file EXPLORER.SCR. To ensure that it will be activated after the operating system restart, the worm creates in the system registry in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run the item "System-Service" with the value "C:\WINDOWS\SYSTEM\EXPLORER.SCR".  Win32/Kazaa.Benjamin creates the directory %windir%/Temp/Sys32 and makes it accessible to all Kazaa users. The worm fills this directory with plenty of its copies. I t gives them names from the list contained in the worm body.  This list is very imposing indeed and it has several hundred of items.  The names are chosen so that they attract attention and lure to download of the worm.  The following are examples of these names:

13 Geister-Filme-full-downloader.exe
Der blaue Engel -Filme-full-downloader.exe
Der grinch-Filme-full-downloader

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.